Always validate any data that comes into your server, whether its GET, POST, COOKIE or whatever.
if you know the _GET will be numbers, the easiest way to “sterilize” it would be to use (int)
eg
$foo = (int) $_GET['foo'];
Point is that you must handle all events if you wont to be safe. Now we have problem to catch all events but that is another story …
You should always use error checking for your $_GET variables. It could be something as simple as this:
$variable = $_GET['variable'];
if($variable=='category1'){
echo "<p>some text</p>";
}
else{
echo "<p>You broke the Internet.</p>";
}
or, you could use ereg and eregi expressions to check if the variable contains only text (for example).
Very informative and good links
am bookmarking this thread.
Thanks
I think you have to do
1- input validation for example
$string_var = mysql_escape_string(string)
$integer_var = (int) integer_var
2- check if the data what you expect from the user, and you have to check if the user has the permision to do this operation for example if you have in the url
?playlist_id=1000&action=delete
you have to check that the cuurent use own the playlist which it id=1000
3- and may you do some url encode , I think the data will be not be safe but maybe more ambiguous
I hope I helped you.
send the data in encrypted format and on second page decrypt the same data.
ever heared of session variables ?
<?
session_start();
$_SESSION['link'] = "home.php";
//in some other page ...
$href="<a href='".$_SESSION['link']."'> link </a>";
echo $href;
//and when you are finished with the variable
unset($_SESSION['link']);
//or
session_destroy();
what the useful of this Brian-X , he ask about the Get variable not alternative solution , and how you will pass the data from the user to the session , and I think you have to validate the input data befor you store it in the session ( its called depth validation security) that depends on the source of data that you want to store it in session
My solution was to include Daniel Morris’ “PHP Input Filter” class, instantiate it, then clean all incoming data; therefore automatically cleaning anything that comes in without me having to do anything.
Here we go;
// @requires input filter class
include( dirname(__FILE__) . '/class.inputfilter.php' );
// @instantiate new customised filter object
$myFilter = new InputFilter(array(), array(), 1, 1);
/*
Clean Incoming Data
*/
// get incoming data
$_GET = clean($_GET);
$_POST = clean($_POST);
$_COOKIE = clean($_COOKIE);
$_FILES = clean($_FILES);
$_ENV = clean($_ENV);
$_SERVER = clean($_SERVER);
// $_SESSION is not included, because for some reason it craps out.
// function to recurisvely clean data
function clean( $data ) {
// @instantiate new customised filter object
$myFilter = new InputFilter(array(), array(), 1, 1);
foreach($data as $key =>$val ) {
if (is_array($data[$key])) {
foreach ($data[$key] as $key2=>$val2) {
$data[$key][$key2] = trim(strip_tags($data[$key][$key2]));
$data[$key][$key2] = trim($myFilter->process($data[$key][$key2]));
} // next
} else {
$data[$key] = trim(strip_tags($data[$key]));
$data[$key] = trim($myFilter->process($data[$key]));
} // end if
} // next
// @return data
return $data;
} // end function
I found it works fine, but it may not solve your particular problem.
You shouldn’t be using GET to destroy data, you should be using POST (OK, in an ideal world where all HTTP verbs were supported by browsers, you should use DELETE but they don’t).
Use a token: action.php?id=4&token=differentforeachuser
save the token in the $_SESSION, check on submission.
it does give me an idea how to go about it.
thanks for the input.
i good option by wiskers
Very informative thread.
However, noun of the gurus her have mentioned why someone should validate
sending variables and strings using GET and validating the GET against what types of security threats?
Any members care to list some threats associated with using GET with out validating it, And may be a solution for that particular threat (I guess then it can be summarized to an article) 
?
you are welcome hisham777,
and about the session to save the data in the session you must make GET or POST at least 1 time , or using AJAX that use either GET or POST , because session is server side.
and also no diffrent between the POST or GET the Methods same and use clear text you can captur the data using HTTP live header http://livehttpheaders.mozdev.org/
regards all,
I think some like malicious code for example if you have url =
?mypage.php?name=hafez&pass=mypass
in get or in POST not important, and you dont run input validtaion , may someone can do somting like that :
?mypage.php?name='' or username like(a%)&pass=
the sql query will be like that
select count(*) from users where username = '' or username like(a%) and password=
which you can login ( this is SQL injction)
or may be you execute a command on your script
exec('somthing from the user ')
and one user send with the GET or the POST
exec(/etc/passwd)
oops :injured:
action=delete
No no no.
Do not use the query string to initiaite actions. Things like this have led to, oh, google prefetching links from some popular forums that resulted in deletion of profiles.
Get is for getting information. Post is for doing stuff.
Because the ctype methods/functions are language specific, based on your charset. It’s more secure if you use it properly.
If you are going to put any “sencitive” data in the address bar, make sure you encrypt it.