Escaping PHP GET and POST values

php security post get
29,679

Solution 1

Well, it's bad for the same way magic_quotes_gpc is bad. It's magic and will escape everything, whether you want it to or not. Instead, handle the escaping where it's used, and you can change things without any problem. So:

function post($key) {
    if(array_key_exists($key, $_POST)) {
        return $_POST[$key];
    }

    return false;
}

And do your escaping where it's needed. Otherwise, things can look strange, and unescaping them will defeat the point. Consider this; I input my last name, O'Hara, in a textbox. You want to echo it back, but you fetch it using getPost. Here's what I get back:

O\'Hara

Did you htmlspecialchars it again? Well, then I get:

O\'ara

or something. This happens to me a lot and it's incredibly annoying - please don't do it.

Solution 2

I wouldn't say useless, just a bit misguided. You should do the escaping immediately before you use it in the context it needs to be escaped for. For example, if you want to send the value back to the browser you might do this:

echo htmlspecialchars($_GET['name']);

But if you want to send it to the database you might do this:

mysql_query(... 'INSERT INTO users VALUES ("'.mysql_real_escape_string($_GET['name']).'")');

With your method you are fixed in what you can do with it. If you do this:

echo getGet('name');

You are going to print out a MySQL escaped string rather than the actual name.

Share:
29,679
jribeiro
Author by

jribeiro

Full Stack Web Developer driven by passion, innovation and creativity! I specialise in creating great web and mobile experiences for companies and creatives

Updated on July 05, 2022

Comments

  • jribeiro
    jribeiro almost 2 years

    Possible Duplicate:
    The ultimate clean/secure function

    I was informed in another thread that this bit of code was pretty useless:

    function getPost($s) {
        if (array_key_exists($s, $_POST))
            return mysql_real_escape_string(htmlspecialchars($_POST[$s]));
        else return false;
    }


    function getGet($s) {
        if (array_key_exists($s, $_GET))
            return mysql_real_escape_string(htmlspecialchars($_GET[$s]));
        else return false;
    }

    Can anybody help understand why and how I can make it better please? Links or references are welcome also.

    Just trying to always improve :)

  • jribeiro
    jribeiro over 12 years
    Hmmm i don't use it in all POST values. It's just for re-use when really needed. Anyway great answer. Thanks
  • itachi
    itachi over 12 years
    That sql insert query looks little bit of ugly....
  • Adrian Günter
    Adrian Günter almost 10 years
    Also use mysqli or PDO, not the mysql_ extension. And use prepared statements, not mysql*_real_escape_string.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

what are the vulnerabilities in direct use of GET and POST?
href hyperlinks as POST
PHP - Capture All POST Variables
How to make a POST request with PHP given the following HTTP + JSON
PHP MySQL $_GET Hack prevention
How to get the value from a text field and pass it into a variable?
Apache LimitExcept only to GET and POST methods
PHP curl: CURLOPT_URL, CURLOPT_POST, and CURLOPT_POSTFIELDS
PHP - hide url (GET) parameters
PHP $_GET and $_POST undefined problem