-1

I use method $_GET to create dynamics URLs:

$page = $_GET['id'];

URL: mysite.com/index.php?id=1

But, if someone insert a maleficent URL?

URL: mysite.com/index.php&id=http://www.infectedsite.com/viruses.txt?

How to treat it?

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
John Jr
  • 3
  • 4
  • 1
    What are you doing with that query parameter? – Matt Ball Mar 22 '13 at 22:57
  • 1
    How do you fetch the page with id 1? Are you asking how to avoid remote includes? – baloo Mar 22 '13 at 23:01
  • 3
    Short of a security problem in your webserver or PHP itself, a URL is harmless. Any security problems will be caused by what you do with the submitted data; since you haven't shown us what happens to `$page` after you assign a value to it, we can't tell what problems it might cause. That said, the easiest security holes to create are [sql injection](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) and [XSS](http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php), both of which are subjects already well covered on StackOverflow. – Quentin Mar 22 '13 at 23:03

1 Answers1

2

It is easy to handle. You handle exactly how the query parameter is used, so make sure you take proper precautions when you use the parameter.

If you are dealing with database queries, make sure you properly escape your get parameter. This differs depending what you are using, but some useful pages to read are: http://php.net/manual/en/function.mysql-real-escape-string.php (deprecated, but will give you a good understanding of escaping strings), and prepared statements in the PDO library http://php.net/manual/en/pdo.prepared-statements.php

The other thing to be aware of is Cross Site Scripting (XSS). A good source to read on that is https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Simply by thinking about how you may be attacked like this will allow you to protect against it in your code. The webpage linked gives good advice in this respect too.

Also mentioned by Brad in the comments, PHP provides a range of filtering functions. These can be used to both sanitize and validate your data. Examples of this are at http://php.net/manual/en/book.filter.php.

Other than that, mainly use your common sense when using request parameters. If it feels wrong, or insecure, it probably is.

CodePB
  • 1,736
  • 12
  • 19
  • Might be good to mention PHP's filtering functions too, if you are expecting a certain type of data. http://php.net/manual/en/book.filter.php – Brad Mar 22 '13 at 23:07