Securing $_GET Variables
Comments + Likes
Programming / Website Security
This Tutorial outlines how to secure $_GET Variables from modification
Security these days is very important to businesses and they want to ensure that their web systems are secure. One way to ensure this is to prevent tampering of being passed via a URL. For example:
http://www.example.com/index.php?articleID=1
This URL could be modified by changing the 1 to a different number or even worse text such as SQL to try and manipulate the database. This could include such text as:
http://www.example.com/index.php?articleID=' DROP ALL
This could be very dangerous as it could drop all of the tables within the database - So obviously we need to prevent this. I will talk through a few techniques below:
1. If the variable you are passing via the URL is always going to be a number e.g. 10. Then you can check in your script that this variable is numeric before you use it - this will ensure that if the variable is not numeric then it will NOT be used in the processing.
2. If you are using numeric variables in the URL then something you have to consider is - have you made sure that this number cannot be changed to view other articles that the user does not have permission to? A good way of stopping this is to check who the article belongs to before you display it.
3. If you are passing text through the URL something you may want to consider - is this the best way of performing this activity? Passing text via the URL can be very risky and should generally not be done - however - there are some occassions where this may be necessary. In such occassions I would recommend using an IF or a SWITCH statement to ensure that there are a set number of options that can be passed via the URL - this will prevent tampering of the GET variable.
4. If you are using any sort of passed variable via a URL for use in an SQL Statement then ALWAYS make sure you addslashes to it - the reason for this is because people can jump out of the preset SQL Statement in your script and enter their own SQL Script to manipulate your database. I have provided a PHP Code sample below on how to do this:
<?php
$articleID = addslashes($_GET["articleID"]);
$sql = "SELECT * FROM `article` WHERE `articleID` = '" $articleID . "'"
$result = mysql_query($sql);
?>;
It is vital that this is always done - an alternative option for you may be mysql_escape_string but this may cause problems for some of you.
Copyright PHPTutorials.co © 2009 - 2010