Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Senior Coder gnomeontherun's Avatar
    Join Date
    Sep 2007
    Location
    Houston
    Posts
    2,846
    Thanks
    10
    Thanked 238 Times in 229 Posts

    How to properly use $_GET and $_POST variables

    One of the major issues I keep seeing in many threads is that rarely is anyone filtering their request/input variables.

    What does this mean? In short, it means you are trying to validate any information submitted to the form before using it. If you use a variable from the $_GET superglobal in an SQL query, you open yourself up to SQL Injection. If you use one to determine which files to include, you open yourself up to a complete site takeover.

    If a script is available on the internet, then it can be called by anyone and can be passed any variables that person decides to use. Just because you have a nice system setup where only a couple variables are used, hackers will try submitting many common variable names (via GET and POST) to see if they can crack in.

    In short, ANYTIME you need to get the value of a GET or POST variable, you need to filter and/or sanitize it. Lucky for you, PHP has a library for this (PHP5+, but PHP4 support stopped in 2007, so its not good to use). There are other libraries out there in various frameworks, if you need more advanced functionality, such as Zend Framework Zend_Filter.

    http://www.w3schools.com/php/php_ref_filter.asp
    http://www.php.net/manual/en/book.filter.php

    Here are some ways you can use it. The list above will show all of the flags to use.

    Getting a POST variable, validating it

    Code:
    $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
    Getting a POST variable, sanitizing it

    Code:
    $url = filter_input(INPUT_POST, 'url', FILTER_SANITIZE_URL);
    You can create your own filtering function if you really need to. You can also use this class just to validate any variable, by using filter_var() instead.

    So to recap, the majority of security problems with PHP programs are due to the program trusting the input data. I think that most training materials do not cover this topic, or do not cover it early enough in the training. Filtering doesn't make it 100% certain you cannot be hacked, but it is certainly the best way to start thinking about security in your programs.
    Last edited by gnomeontherun; 01-15-2011 at 08:18 PM.
    jeremy - gnomeontherun
    Educated questions often get educated answers, and simple questions often get simple answers.

  • #2
    Regular Coder
    Join Date
    Apr 2007
    Location
    Griffith. Australia
    Posts
    138
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Security in PHP programming is much the same to PC security, the most secure un-hackable computer in the world in a desktop machine with no network connection contained in a steel box buried 1000 meters under the ground. At the end of the day if your sites data is that critical and security is that important filter every single form input and use SSL security.

    But I agree with Gnome that every form submission should be filtered and checked. Don't assume that the data being passed to the application is the data that should be passed to the application.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •