How can I secure my $_GETs in PHP?
- by ggfan
My profile.php displays all the user's postings,comments,pictures. If the user wants to delete, it sends the posting's id to the remove.php so it's like remove.php?action=removeposting&posting_id=2. If they want to remove a picture, it's remove.php?action=removepicture&picture_id=1.
Using the get data, I do a query to the database to display the info they want to delete and if they want to delete it, they click "yes". So the data is deleted via $POST NOT $GET to prevent cross-site request forgery.
My question is how do I make sure the GETs are not some javascript code, sql injection that will mess me up.
here is my remove.php
//how do I make $action safe?
//should I use mysqli_real_escape_string?
//use strip_tags()?
$action=trim($_GET['action']);
if (($action != 'removeposting') && ($action != 'removefriend')
&& ($action != 'removecomment'))
{
echo "please don't change the action. go back and refresh";
header("Location: index.php");
exit();
}
if ($action == 'removeposting')
{
//get the info and display it in a form. if user clicks "yes", deletes
}
if ($action =='removepicture')
{
//remove pic
}
I know I can't be 100% safe, but what are some common defenses I can use.
EDIT
Do this to prevent xss
$action=trim($_GET['action']);
htmlspecialchars(strip_tags($action));
Then when I am 'recalling' the data back via POST, I would use
$posting_id = mysqli_real_escape_string($dbc, trim($_POST['posting_id']));
