PHP protection of GET parameters

Question

OK consider this url:

example.com/single.php?id=21424

It's pretty obvious to you and i that the PHP is going to take the id and run it through a mysql query to retrieve 1 record to display it on the page.

Is there anyway some malicious hacker could mess this url up and pose a security threat to my application/mysql DB?

Thanks

http://stackoverflow.com/questions/601300/what-is-sql-injection — Pekka, Feb 23 '11 at 10:21
Regardless of the security aspect, it's also not a good application design to expose database-internal identifiers. Most objects in the database have a name or title, which should preferred as URL parameters when feasible. — mario, Feb 23 '11 at 10:55

score 11 · Accepted Answer · edited Sep 17 '15 at 18:23

11

Of course, never ever ever consider a user entry (_GET, _POST, _COOKIE, etc) as safe.

Use mysql_real_escape_string php function to sanitize your variables: http://php.net/manual/en/function.mysql-real-escape-string.php

About SQL injections : http://en.wikipedia.org/wiki/SQL_injection

edited Sep 17 '15 at 18:23

CocoaBean

295
7
20

answered Feb 23 '11 at 10:22

Intrepidd

19,772
6
55
63

1

Even _SERVER isn't always safe (e.g., HTTP_REFERER) – meze Feb 23 '11 at 10:25
Sure, theses are only examples :) – Intrepidd Feb 23 '11 at 10:29

greg0ire · Answer 2 · 2013-09-19T13:01:16.083

2

All depends on the filtering you explicitely (with filter_var() for instance) or implictely (by using prepared statements for instance) use.

edited Sep 19 '13 at 13:01

answered Feb 23 '11 at 10:24

greg0ire

22,714
16
72
101

score 1 · Answer 3 · answered Feb 23 '11 at 10:23

1

Well there is Sql injection http://en.wikipedia.org/wiki/SQL_injection

answered Feb 23 '11 at 10:23

Voooza

749
4
8

PHP protection of GET parameters

3 Answers3

Linked

Related