[ALUG] PHP $_GET and $_POST
Andreas Tauscher
ta at geuka.net
Wed Sep 10 21:40:33 EAT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Since I have seen today again an "excellent" piece of code:
Since PHP 5.2 (Relaeased already in 2006) there is no real need for
$_GET and $_POST any more.
The problem with $_GET and $_POST: Verification and filtering of the
input. Validating and sanitizing input is a problem.
With PHP 5.2 was a new function introduced making this all much easier:
filter_input
$input = filter_input(INPUT_GET, ‘name’, FILTER_SANITIZE_STRING);
is all over identical to
$input = $_GET[‘name’];
What filter_input has to offer as options making live easyer:
http://php.net/manual/en/ref.filter.php
It will not solve security issues. For the last verification still the
programmer is responsible. But these input filters making it easier.
IMHO a good practice is: Any input goes first in a unfiltered variable:
$unfiltered_input = filter_input(INPUT_GET, ‘name’, FILTER_UNSAFE_RAW)
It is easy to see: any data starting with $unfiltered_ is evil. Any
raw input I find easy by searching simply for FILTER_UNSAFE_RAW and
not checking a million $_GETs.
Same data used for several things: also no problem. I still have it
raw and apply the filter I need now.
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQIcBAEBAgAGBQJUEJshAAoJEEeUknxlyOoQmJEP/RgyGRN+iIO3CV4S+FTqMdpH
rP7eH6ONIGpzgsAmlpIvlRw4hD4yVfAc7ukGjbje27dSazdjljRga4AbssQQvkCv
Fn8Bor2L3O5Z/3+mgBylJdqTogelC+jkDTDm2E9QNXmsSO6BpD6PEBv+D39+iT6X
cAwj52k1Ov4CmCDqzdWTKK/1XT4z4oabKiyLveAuv2ih+YljxaU0rB2M2sgYmL2H
smoa9zcs5VfzKkwoOMAK+ey6vH2DjxrrLEqqnAMNSV9xdkDmkxtPhhlDC5mNnY2Q
OdIIgl9LfFRoB+KFjCmEd+vHEM9QYPaX2Qj1iNvDxYTJyAQk7NFwracNkxWXLcLo
YDnVuFhNp/SkCWrDSx1w+QCw83oVizW4YXBwqbxgyY3wq03xcM6SIDdYuhEu6kvt
3huwDai+vM4wgeR6T3pnfmwRGOINP/TkQ3UTcEFHIXhlnZkRFwAF6hG+PNfDzTWP
N3oxdurfQ3FgDh0jL2i9fZWiHNCC4CrGT7I0HxTMrpRnpC9byEcQFclu+yIdDUSO
bQlPbi3oipxHwVHhjj8wDh0kr5XV8EZHez6ZZ+J5FR5Dp+HRd/CUAKyEsIAO0HTC
7LJS1Pv6gYRoF2mgDvsF4CmwXJTRh2ckxslN4qalDrRWxW2n+3qulxXA+sKTJHLt
XEXmXMTjkonmxpnG5BI9
=e6Hi
-----END PGP SIGNATURE-----
More information about the Linux
mailing list