Databases
StackOverflow2013
Postsdbo
POHow can I secure my $_GETs in PHP?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow can I secure my $_GETs in PHP?
    text
    copied!<p>My profile.php displays all the user's postings,comments,pictures. If the user wants to delete, it sends the posting's id to the remove.php so it's like remove.php?action=removeposting&amp;posting_id=2. If they want to remove a picture, it's remove.php?action=removepicture&amp;picture_id=1. </p> <p>Using the get data, I do a query to the database to display the info they want to delete and if they want to delete it, they click "yes". So the data is deleted via $POST NOT $GET to prevent cross-site request forgery. </p> <p>My question is how do I make sure the GETs are not some javascript code, sql injection that will mess me up. </p> <p><strong>here is my remove.php</strong></p> <pre><code> //how do I make $action safe? //should I use mysqli_real_escape_string? //use strip_tags()? $action=trim($_GET['action']); if (($action != 'removeposting') &amp;&amp; ($action != 'removefriend') &amp;&amp; ($action != 'removecomment')) { header("Location: index.php"); exit(); } if ($action == 'removeposting') { //get the info and display it in a form. if user clicks "yes", deletes } if ($action =='removepicture') { //remove pic } </code></pre> <p>I know I can't be 100% safe, but what are some common defenses I can use. </p> <p><strong>EDIT</strong></p> <pre><code>Do this to prevent xss $oldaction=trim($_GET['action']); $action=strip_tags($oldaction); Then when I am 'recalling' the data back via POST, I would use $posting_id = mysqli_real_escape_string($dbc, trim($_POST['posting_id'])); </code></pre> <blockquote> <p></p> </blockquote> <pre><code> if ($action == 'removeposting') { //get the posting id from the user $getposting_id = htmlspecialchars(trim($_GET['posting_id'])); //basic checks for the posting id if (empty($getposting_id)){ //header ("Location: index.php"); echo '&lt;p&gt;Sorry, no posting was specified for removal.&lt;/p&gt;'; exit(); } if (!is_numeric($getposting_id)) { echo "Not an integer"; exit(); } //Also have check to see if the posting_id is the user's. If so, can delete </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload