2

I have an important question, and I don't know what to search for, so I'm asking you guys for help.

Do I need to escape this kind of code:

<?php if(isset($_GET['hk']) && $_GET['hk'] == "loginerror") { echo "error"; } ?>

(the result will be something like index.php?hk=loginerror)

Or should I leave it un-escaped? Can hackers "hack" if I don't use escape?

Thanks.

Jonas Tornerai
  • 31
  • 1
  • 4
  • err... what does `mysql-real-escape-string` tag with the code above? – Your Common Sense Jul 27 '13 at 11:51
  • 2
    this is not escape this is validate. – bansi Jul 27 '13 at 11:54
  • Escaping is context-dependent, not a lazy solution to asserting variable paths. See http://kunststube.net/escapism/ and [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/q/129677) – mario Jul 27 '13 at 11:57

3 Answers3

1

You need to escape (or encode, depending on context) special characters in user input when you use it in generated code or data formats (e.g. if you put it in an SQL query, an HTML document, a JSON file, etc).

If you are just comparing it to a string or seeing if it exists, there is no point in escaping it.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

It is always good practice to filter or escaping your string when sending information to limit hackers of finding any security flaws.

Furthermore, never use the $_GET method when sending sensitive information over the net, rather use the $_POST method.

Using the $_GET methods shows which variable are being parsed and this information could be very very important and influential to a hacker

Ethic Or Logics
  • 111
  • 1
  • 13
-2

NO.

You shouldn't escape not a single $_GET array at all.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345