How to properly use $_GET and $_POST variables

gnomeontherun · 01-15-2011, 07:15 PM

One of the major issues I keep seeing in many threads is that rarely is anyone filtering their request/input variables.

What does this mean? In short, it means you are trying to validate any information submitted to the form before using it. If you use a variable from the $_GET superglobal in an SQL query, you open yourself up to SQL Injection. If you use one to determine which files to include, you open yourself up to a complete site takeover.

If a script is available on the internet, then it can be called by anyone and can be passed any variables that person decides to use. Just because you have a nice system setup where only a couple variables are used, hackers will try submitting many common variable names (via GET and POST) to see if they can crack in.

In short, ANYTIME you need to get the value of a GET or POST variable, you need to filter and/or sanitize it. Lucky for you, PHP has a library for this (PHP5+, but PHP4 support stopped in 2007, so its not good to use). There are other libraries out there in various frameworks, if you need more advanced functionality, such as Zend Framework Zend_Filter.

http://www.w3schools.com/php/php_ref_filter.asp
http://www.php.net/manual/en/book.filter.php

Here are some ways you can use it. The list above will show all of the flags to use.

Getting a POST variable, validating it

Code:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);

Getting a POST variable, sanitizing it

Code:

$url = filter_input(INPUT_POST, 'url', FILTER_SANITIZE_URL);

You can create your own filtering function if you really need to. You can also use this class just to validate any variable, by using filter_var() instead.

So to recap, the majority of security problems with PHP programs are due to the program trusting the input data. I think that most training materials do not cover this topic, or do not cover it early enough in the training. Filtering doesn't make it 100% certain you cannot be hacked, but it is certainly the best way to start thinking about security in your programs.

knightcon · 01-15-2011, 10:01 PM

Security in PHP programming is much the same to PC security, the most secure un-hackable computer in the world in a desktop machine with no network connection contained in a steel box buried 1000 meters under the ground. At the end of the day if your sites data is that critical and security is that important filter every single form input and use SSL security.

But I agree with Gnome that every form submission should be filtered and checked. Don't assume that the data being passed to the application is the data that should be passed to the application.