How can I secure my $_GETs in PHP?

Posted by ggfan on Stack Overflow See other posts from Stack Overflow or by ggfan
Published on 2010-05-13T04:03:13Z Indexed on 2010/05/13 4:14 UTC
Read the original article Hit count: 152

Filed under:
|

My profile.php displays all the user's postings,comments,pictures. If the user wants to delete, it sends the posting's id to the remove.php so it's like remove.php?action=removeposting&posting_id=2. If they want to remove a picture, it's remove.php?action=removepicture&picture_id=1.

Using the get data, I do a query to the database to display the info they want to delete and if they want to delete it, they click "yes". So the data is deleted via $POST NOT $GET to prevent cross-site request forgery.

My question is how do I make sure the GETs are not some javascript code, sql injection that will mess me up.

here is my remove.php

    //how do I make $action safe? 
    //should I use mysqli_real_escape_string?
    //use strip_tags()?
    $action=trim($_GET['action']);

    if (($action != 'removeposting') && ($action != 'removefriend') 
    && ($action != 'removecomment'))
    {
     echo "please don't change the action. go back and refresh";
            header("Location: index.php");
     exit();
    }

if ($action == 'removeposting')
{
   //get the info and display it in a form. if user clicks "yes", deletes
}

if ($action =='removepicture')
{
   //remove pic
}

I know I can't be 100% safe, but what are some common defenses I can use.

EDIT

Do this to prevent xss
$action=trim($_GET['action']);
htmlspecialchars(strip_tags($action));

Then when I am 'recalling' the data back via POST, I would use 
$posting_id = mysqli_real_escape_string($dbc, trim($_POST['posting_id']));

© Stack Overflow or respective owner

Related posts about php

Related posts about mysql