-2

Possible Duplicate:
The ultimate clean/secure function

I am looking for some solution to make sure my $_GET incoming data only has what is needed and not some other dangerous characters, etc. How would be the best validation/sanitization of doing this? I assume REGEXP, could play some role here:

if (isset($_GET['p'])) {
 //validate //sanitize etc...

//call controller... or whatever.
}
Community
  • 1
  • 1
John Svensson
  • 461
  • 1
  • 5
  • 17
  • 5
    There's no such thing as "dangerous characters", only dangerous code. – Mark Byers May 05 '12 at 16:51
  • you need a validation script? – s.webbandit May 05 '12 at 16:54
  • 1
    There is no one answer for this. It depends entirely on what you are using `$_GET['p']` for. – Paul May 05 '12 at 16:54
  • 1
    What kind of data you expect in the `p` variable? What do you use it for? What is the RIGHT data? – kapa May 05 '12 at 16:56
  • possible duplicate of [The ultimate clean/secure function](http://stackoverflow.com/questions/4223980/the-ultimate-clean-secure-function) and see as well [Is my escape function really safe?](http://stackoverflow.com/questions/9957401/is-my-escape-function-really-safe). – hakre May 05 '12 at 17:00

3 Answers3

4

To validate or sanitise your input, use PHP's filter functions:

Validation is used to validate or check if the data meets certain qualifications. For example, passing in FILTER_VALIDATE_EMAIL will determine if the data is a valid email address, but will not change the data itself.

Sanitization will sanitize the data, so it may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. That said, it does not validate the data.

If you want to display the data, you need to escape the HTML entities. You can do this with the htmlentities function.

Are you going to store the data in a database? Depending on the way you connect to your database (MySQL functions, MySQLi or PDO) you need to use (respectively) mysql_real_escape_string, mysqli::real_escape_string or mysqli_real_escape_string, or PDO::quote or prepared statements.

Do you want to use the values in a URL? Then you need to use the urlencode function.

Jonathan
  • 6,572
  • 1
  • 30
  • 46
0

If I understand your question correctly you could use percent-encoding. More information here.

In PHP this would be:

<?php
echo '<a href="mycgi?foo=', urlencode($userinput), '">';
?>
John Wheal
  • 9,908
  • 6
  • 29
  • 39
0

It depends on the content of the $_GET parameter. Use REGEX or string functions to remove unnecessary characters. For example: if your variable is a page number, then remove everything that isn't a number. If it is some kind of sorting value, then check for the possible values (asc/desc/...) and remove the rest. Only keep the contents you need. This should be the securest way.

For other contents, use urlencode() and urldecode(), so you can pass every character that is possible. But be careful when you use this input for other things (e.g. saving to DB or displaying the data)! Always use functions like mysql_real_escape_string(), htmlentities() and similar ones, to encode the contents of your $_GET parameter.

mixable
  • 1,068
  • 2
  • 12
  • 42