How to make GET safe

Hello,

a lot of programmers especially new once use GET method for links…etc

but this can result in a lot of security issues.

How do you secure the information that the browser send to the script?

Thanks

Same as you would for POST. Validate the data. If a variable doesn’t contain a valid value then throw an error.

No sensitive data in URL, or GET, it has to just contain cat_id=3, action=delete kind of thing!

you mean using [size=-1]Regular Expressions to limit the information that the script get from the browser?

care to give few examples :slight_smile: for myself and newbies
[/size]

That will vary depending on what you are expecting. If you are expecting a variable to contain only numbers cast it to an integer and then validate that it is in the bounds that you are expecting. If it is a string that should be no longer then 10 characters, use substr to remove anything over 10 characters. If a variable should have only a few possible values make sure that it contains only one of those possible values. Etc…

Also you can use different forms of duplex (that will allow decoding) encodings, like base64. But always you must do GET parameters checks (those you are using) - on every page. And be carefull. Site visitors are very curious people :slight_smile:

Rule #1: Never trust user input.

A practical example that I use a lot:

// initialize page variable
$page = (!empty($_GET['page'])) ? $_GET['page'] : 'home';

// pick a page
switch ($page) {

  case 'home': /* home page stuff */ break;
  case 'products': /* */ break;
  case 'about-us': /* */ break;

  // don't accept any other values
  default: /* error 404 for example */
}

Nice thanks all,

different ways to solve a problem. I think that’s what makes difference between the good programmers and the beginner once.

Keep the ways coming its good for a person like me to see this solutions it will expose me for the possibilities of finding different approaches to solve problems, as well for who is just starting the road to the PHP world of programming to have an idea on the possibilities better then a lot of tutorials on line that still teach the old and the same methods of connecting to DB with out considering that there are beginners who do not understand the security issues in following such tutorials (no offence for the owners :slight_smile: )

thanks, more if you my please

thanks, new approch for me.

An easy way to validate your data for integers:


if(isset($_GET['a']) and ctype_digit((string)$_GET['a'])){
   // OK, all digits
}else{
   // contains non-numeric characters.
}

You could also try this, although it’s slower:


$a = preg_replace('/\\D/','',@$_GET['a']);

if($a != ''){
   // numbers only
}else{
   // no numers at all.
}

Watch out for the @ in the second example so you don’t throw a warning if there’s no $_GET[‘a’].

any good source for regular expressions? am bad for my understanding this means

[1]+$

letters Upper and lower alowed as well as numbers and spaces.(i think)

liable sources please. any?
or maybe a tool ?


  1. a-zA-Z0-9 ↩︎

I wonder…

Is there any way to pass a variable from one page to another without $_GET, or using a form?

I mean it would be cool to have a code like this


<?
$foo = bar;
echo "<a href=\\"";
$_PASS['$foo']TO['page.php'];
echo "\\">click</a>";
?>

which would give out the HTML:

<a href="page.php">

I think that would be handy for the next php version.

gdtrfb - why do that when you can simply do:


if(empty(intval($_REQUEST['var']))) {
  // bad
} else {
 // good
}

http://uk.php.net/manual/en/features.sessions.php

Mmmmm, intval(). Never used it. Looks like I’ll start. Anything for cleaner code!

Very useful function. If you pass a numeric ID via $_GET, for example, you could completely clean it like this:

// cast to integer, and don't allow negative integers
$id = (int) abs($_GET['id']);


AMIN

from PHP.net

Session support in PHP consists of a way to preserve certain data across    subsequent accesses. This enables you to build more customized applications    and increase the appeal of your web site.

so how would that works with URLs and passing variables on the URLs spacially links. ?!!

I love using the URL as a source for variables. I’m just really careful about filtering and validating, but it makes for an essentially error-free website experience for the user and safe one for the developer.

I use a combination of the PathVars class[1], the Dispatch method[2], htaccess[3], a CleanVar[4] function, and filtering, filtering and more filtering[5].

[list]
[]I use an htaccess page to route all requests to the dispatch.php page.
[
]I use the dispatch page to retrieve a variable from a specific segment or “path” of the URL and I use that variable as a “switch” to include the page I want to serve.
[*]On the served page (let’s say a products page), I check the URL again for a “PathVar”, filter it, escape it, put it in a $clean[] array, and check the value in the database, if it’s valid, deliver, for example, the specific product page, if not, tell the visitor, “Sorry, no products were found.”
[/list]I do the the same thing for a shopping cart. If I’m expecting a number in the URL path variable (i.e. quantity), I actually [b]strval([url=“http://us3.php.net/manual/en/function.intval.php”]intval())[/b] it, then [b]CleanVar()[/b] it (essentially [url=“http://us3.php.net/manual/en/function.mysql-real-escape-string.php”]mysql_real_escape_string()), before I enter it into my shopping cart table along with the session.

I used this method for thetraits.org. For example, notice that…
http://www.thetraits.org/products/see/16128

…gets you to the product detail page for Wee Can Write, but adding nonsense to the end of the url (where the ID # is expected) will get you “Sorry no products were found” instead of a 404 “Page Not Found” error.
http://www.thetraits.org/products/see/dasdfiudf

But I’m rambing. Here’s are the resources I got these ideas from:
[1,2] PathVars class - The PHP Anthology by Harry Fuecks (Sitepoint), chapter 9, “Web Page Elements”, section, “How do I make “search engine friendly” URLs in PHP?”

[2] I use the .htaccess to route requests to the appropriate dispatch page. There’s an example in the chapter cited above.

[3] The CleanVar function came from somewhere in this forum, if I recall.

function safeEscapeString($string) 
  {
  	if  (get_magic_quotes_gpc()) {
  		return $string;
  	} else {
  		return mysql_real_escape_string($string);
  	}
  }
  
  function cleanVar ($string) {
  	$string = trim($string);
  	$string = safeEscapeString($string);
  	$string = htmlentities($string);
  	return $string;
  }

[4] There’s already been some good examples of filtering in this thread. Mostly the initial idea for most of my filters comes from Chris Shiflett’s PHP Security handbook that was passed out at his workshop at OSCON 2004 and now has been published as a book. You can find some code examples at the book’s site here:
http://phpsecurity.org/code

Also, since we’re kinda on the subject, another good resource on security is David Sklar on “PHP and the OWASP Top Ten Security Vulnerabilities”
http://www.sklar.com/page/article/owasp-top-ten

I will now cease rambling. :slight_smile: