I'm working on a database keyword search. Up until now, I'm been using the POST method so that all details from the form are not shown in the URL.
Everthing is escaped and validated so I'm pretty sure its protected against SQL injection.
I'm now adding pagination to the results which appends offset= to the URL to go to the correct page. The problem is I then loose the keywords from the form as they are not in the URL.
So from my (limited) understanding, I either need to sent the offset as form data along with the keywords, or change the keywords to GET and have everything visible in the URL.
If all data is escaped and validated, is the GET method safe or should I always use forms/POST?
All data must be escaped and validated. POST is not more secure than GET.
Yes, you would need to use GET for your search. Advantage: users would be able to bookmark search result pages. All major search engines use GET at the search pages.
Or you would need to use a JavaScript, which would submit a form by POST when one of your page hyperlinks (I mean page numbers 1, 2, 3... which are usually shown as hyperlinks below the search results) is clicked. Disadvantage: pagination would not work if JavaScript is turned off in the user browser.
Edit: JAY6390 has been quicker to answer
Edit2: When I said POST is not more secure than GET, I meant for SQL injection attacks of course. I mean there is not much difference for a hacker to send a POST or GET to the site. Still of course if some sensitive information is sent (like e.g. passwords), GET should never be used. Because GET request sends parameters via an URL which could be cached in the browser history, in server logs (some server cuold be so badly configures that their logs could be publicly accessed, etc.)
Just in case: I have added a small edit (Edit2) to the post to explain my point on GET/POST security a little bit more in detail. Sorry for not providing this explanation at once. I'll try to pay more attention to such things in the future.
Thanks SKDevelopment.
I'm using http_build_query($_GET); to replace the offset for the new page links.
Do I need to do any validation/sanitising before rebuilding the url?
Each parameter gets validated/sanitised before going into the sql query, so I dont know if the checks need to be done at every stage that form data is used or just the once (before the sql).
You need to validate/sanitize before using parameters in the queries. You also need to apply htmlspecialchars() or htmlentities() to the HTML output to avoid HTML injections ... Shortly speaking it is absolutely necessary to validate/sanitize any input (from any source) before using it in any way.
But personally (I could be wrong of course) I do not see any great need to validate parameters specially for use in http_build_query(). At least I would not do that. But this is my personal opinion only of course which could be wrong.
Yes, security is very interesting and very important thing to learn for sure. I agree completely. SQL injections, mail injections, HTML injections, file injections, session fixation and session hijacking attacks, XSS etc. All that is absolutely necessary to know for a web-programmer... And I never saw any one source with a lot of data on this subject where it was described well. I had to google on many questions, read it from different sources/articles on the Internet. Forums always have been especially useful for learning too.
If someone asked me about a good book on PHP, I could recommend the official Zend guide for preparation for the Zend Certified Engineer test (maybe not to start learning but must-read for sure). But with web-security, probably it is better learned from on-line articles. At least I did not see any really good books on this subject so far ... Maybe someone else did though ...
I've done a bit of reading on htmlentities. Its a little confusing.
At present I just have a form that searches the database by the entered keyword.
For example if I do:
PHP Code:
$message = 'Your search for <strong>'.$orig_keyword.'</strong> found the following <strong>'.$rowcount_array[0].'</strong> results:<br />';
echo htmlentities($message, ENT_QUOTES);
I get the following on screen
Code:
Your search for <strong>house</strong> found the following <strong>8</strong> results:<br />
Obviously I wouldn't want html to be literally displayed on screen, so I'm a little confused at which point in my code (html form, sql and results all on the same page) I need to be using htmlentities?
I have read several articles online but I'm still not understanding
Obviously I wouldn't want html to be literally displayed on screen, so I'm a little confused at which point in my code (html form, sql and results all on the same page) I need to be using htmlentities?
htmlentities is for preventing HTML code to be parsed as HTML (i.e. preventing HTML injection attacks). usually, it is used on input validation or on places, where you need to prevent HTML injection.
__________________
please post your code wrapped in [CODE] [/CODE] tags
Is this method along enough or do I need to use htmlentities in addition (before inserting into SQL)?
I've started changing all my echoed strings/variables to htmlentities.
One snag with htmlentities so far (when applied to the search keyword) is it strips out apostophes which need to stay in.
I have a form that has an input text box. The user types in a keyword and this is searched for in the database.
The results are echoed along with the keyword searched for
I want to protect $the_keyword but I'm not clear on what to use and when to use it.
I have:
PHP Code:
echo 'Your search for <strong>'.htmlentities($the_keyword, ENT_QUOTES, 'UTF-8').'</strong> found the following';
This seems to work ok.
But then there is:
PHP Code:
$the_keyword = $_GET['keyword'];
I'm not sure how to protect it but without stipping out characters that are needed such as apostrophes?
I really appreciate everyones help - I realise this is all very n00b!
Before you post, read our: 
