What is the best method of cleaning query strings?

Question

What is the best and method of ensuring that $page and $getVars are clean and safe?

//fetch the passed request
$request = $_SERVER['QUERY_STRING'];

//parse the page request and other GET variables
$parsed = explode('&', $request);

//the page is the first element
$page = array_shift($parsed);

//the rest of the array are GET statements, parse them out;
$getVars = array();
foreach($parsed as $argument)
{
  //split GET vars along '=' symbol to seperate the variable and its value
  list($variable, $value) = explode('=', $argument);
  $getVars[$variable] = $value;
}

related : http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php — Haim Evgi, Oct 11 '10 at 08:40
thanks. just started learning - it was like this in the tutorial I was looking at. — davivid, Oct 11 '10 at 08:47
My personal preference for cleaning is Arm & Hammer or Tide. — Kermit, Dec 24 '12 at 21:58
OK, start by throwing out whatever tutorial you saw this code in. — Ilmari Karonen, Dec 24 '12 at 22:05

score 0 · Answer 1 · answered Jun 30 '14 at 20:32

In your case you just want to use $_GET or $_REQUEST instead of $_SERVER['QUERY_STRING'] as the others already have mentioned.

In order to verify and clean your variables, you should have a look at PHP's Data Filtering functions which were introduced in PHP 5.2. You also find some examples in the PHP manual similar to this:

if (filter_var('0.0.0.0', FILTER_VALIDATE_IP) !== false) {
    // IP address is valid
}

or

$options = array(
    'options' => array(
        'min_range' => 0,
        'max_range' => 2,
    )
);

if (filter_var(1, FILTER_VALIDATE_INT, $options) !== false) {
    // 1 is between 0 and 2
}

What is the best method of cleaning query strings?

1 Answers1