How to echo a $_GET safely?

Question

<?php
    echo $_GET['id'];
?>

Doesn't look very safe to me.. What is our best option to show an GET element?

Something like a preg_replace on all the special characters, or htmlspecialchars?

score 5 · Accepted Answer · answered Nov 02 '13 at 16:55

5

Depends on what you are doing to do with $_GET['id'];

If you are looking to insert it into database , Just make use of Prepared Statements. [That suffices]

If you just want to display it on your HTML page, make use of this code.

<?php
    echo htmlentities($_GET['id']);
?>

answered Nov 02 '13 at 16:55

2

`htmlentities()` does more escaping than necessary (as opposed to `htmlspecialchars()`). – ComFreek Nov 02 '13 at 17:10

score 3 · Answer 2 · answered Nov 02 '13 at 16:54

3

<?php
    echo htmlspecialchars($_GET['id']);
?>

answered Nov 02 '13 at 16:54

Paul Draper

score 3 · Answer 3 · answered Nov 02 '13 at 16:56

3

htmlspecialchars() if it is a string, or cast to the appropriate type if it is numeric (intval(), or (int) etc.), for example:

$id = (int)$_GET['id'];
//or
echo (int)$_GET['id'];

answered Nov 02 '13 at 16:56

AbraCadaver

`htmlspecialchars` is sufficient with numeric values, too. – Marcel Korpel Nov 02 '13 at 16:57
2

It's sufficient, but if it's supposed to be an int then casting to an int will at least give you 0 if there is text or other garbage. – AbraCadaver Nov 02 '13 at 16:58

score 2 · Answer 4 · answered Nov 02 '13 at 16:55

2

If it's id, I think it should be numeric - then echo intval($_GET['id']);

answered Nov 02 '13 at 16:55

u_mulder

score 1 · Answer 5 · answered Nov 02 '13 at 16:54

1

This should be enough:

htmlspecialchars($_GET['id'], ENT_QUOTES, "UTF-8");

answered Nov 02 '13 at 16:54

sybear

5 Answers5