What is the difference between
Input::get('value')
and this:
$_GET['value']
and when is better to use one of them?
The first line of code
input::get('value')
is some framework (perhaps Laravel 4.2) wrapper around PHP GET variables like the second line of code
$_GET['value']
which is a PHP superglobal containing the same data but in plain vanilla PHP.
So the difference is more or less syntactical, e.g. how you prefix, write the name and the parenthesis:
Prefix Name Parenthesis
-none- "input::get" ()
"$" "_GET" []
Next to syntactical differences, the first one is a function call while the other one reads a variable.
A function call allows to interact more, e.g. the framework can inject code to provide extra functionality in the "read" operation (returning/getting a value), like allowing to specify a default value if an input is not set, which plain vanilla PHP didn't support that well in the past (I think there will be an improvement on this in PHP 7 but can't find the RFC right now).
It's not that PHP can't deal with default values for non-existent GET variable entries, it's just some little boilerplate:
$value = isset($_GET['value']) ? $_GET['value'] : null;
Input::get() is a function from Laravel
$email = Input::get('email');
Note: The "get" method is used for all request types (GET, POST, PUT,
and DELETE), not just GET requests.
Retrieve all input from the input array:
$array = Input::get();
Retrieve all input including the $_FILES array:
$input = Input::all();
And $_GET is superglobal variable in PHP used to get parameters from
querystring .
$_GET is PHP builtin variable.
It is global static variable and has several bad qualities, especially for testing. Laravel has introduced Input::get() instead so you can easily swap the implementation.
In Laravel there should be no reason to use $_GET and use Input::get() whenever possible.
So apparently, Input::get() is from Laravel just like what #hakre said.
$_GET['value'] will parse the URL if there is a set value in it.
For example we have a url http://www.example.com/index.php?myget=value
we can use $_GET['myget'] to fetch its value like so:
echo $_GET['myget'];
// this will print "value"
Related
I need to extract 3 input parameters (in this example a=test, b=sell, c=12536) from the following URL
/property-test-sell-12536
and pass to the PHP file as $_GET parameters. And inside PHP file I want to access this parameter as $_GET['a'], $_GET['b'], $_GET['c'].
I researched Google about this issue. Is it possible to use only NGINX for this purpose or should I do it inside PHP file?
Input arguments are defined as ?index=value&anotherIndex=anotherValue and so forth, for example: https://example.com/search.php?query=How+to+google&lang=en
PHP will then have the variables named as the appropriate index ($_GET['index'] will return you the value).
If you'd like to have routes like example.com/shoes/5/seller then you'd need to code a custom PHP function which trims the URL and looks for strings and then stores them in an appropriate variable, probably using a regex and preg_match. Though, be careful about security as these can be rather vulnerable to things like SQL injections and server-side code execution vulnerabilities.
After user submitted form post, I'm essentially doing this:
Sanitize JSON with php
to sanitize my json_decoded input.
json_decode creates an object which I pass to custom class method:
$body = json_decode($_POST['body']);
$form_id = $_POST['form_id'];
$errors = $this->validate_form( $form_id, $body, $options );
In $this->validate_form, I immediately do validation similarly to solutions in link above.
Is there a security gap in assigning decoded json, form_id to variables at runtime, and then passing these values through to custom method, even if the first thing done with them after is sanitizing?
I.e. is there some exploit, like a fancy json encoded 'call_user_func' etc that can be implemented here, just by simply passing values/storing run time values?
edit: (also just to clarify, i'm not doing anything obviously terrible after like call_user_func($form_id);
)
No, there's no security problem. PHP never executes data on its own when you assign variables, you have to call functions that interpret the data in a way that requires executing it. json_decode() doesn't do anything like that, it just transforms the data statically from one format to another.
Some examples of dangerous operations are eval() (it executes arbitrary code), call_user_func() (where the function name comes from user input), extract() (it creates variables from the array), and inserting parameters into SQL query strings (use parametrized queries to prevent SQL-injection). You can also run into XSS problems if you include user input in HTML output without sanitizing or encoding it.
First of all, I heard some web-servers allow you to reach parameter with $a instead of $_GET[a], this is not the case here.
Anyway, I have to reach a multiple times, so instead of doing $a = $_GET[a], I instead use $_GET[a] everytime. In single php tag as in <?php ?>, is that an issue, should I absolutely use variables? does it matter?
Another thing is my php file is really scrambled in my html, I wonder if does it matter with multiple gets?(should not, im just worried)
Thanks.
What you refer of using just $a instead of $_GET['a'] (or $_POST['a'] too) is an old feature known as register_globals. This feature was dangerous and leading to messy code, so it was considered deprecated in PHP 5.3 and finally removed in PHP 5.4.
Then, using $_GET['a'] everywhere in your scripts may lead to problems, because you should never trust user input (all things coming from $_GET, $_POST, $_REQUEST, $_COOKIE and some from $_FILES or $_SERVER). It is recommended to do something like $a = sanitize($_GET['a']); (the sanitize function does not exist, depending on what type of value are you expecting, you should check that what you get is an integer, or a valid date, or whatever, depending on your needs). From now on you should stop referencing $_GET['a'] and use instead the new sanitized variable you have just created $a. Because if you were using always $_GET['a'], chances are that you forget to sanitize it someplace.
Also, before sending this sanitized variable into a SQL query, you should escape it or use it inside a prepared statement to avoid SQL injections. Before outputting it to an html for the user to see, use htmlspecialchars to avoid XSS attacks.
And finally, about having multiple php blocks mixed with html blocks, this is only bad for maintenance reasons, because in the long run it will be a complete mess. Try to separate the html you send the user from the php code. Try to read something about the MVC pattern (Model-View-Controller) (this link is probably too complicated or maybe you don't see the utility right now for you that are just beginning with php (at least I didn't see how it was way better than mixing html with php, for all the complexity needed), but try to grasp the idea behind it) .
First of all, I heard some web-servers allow you to reach parameter with $a instead of $_GET[a], this is not the case here.
This is a PHP config setting called register_globals. It is insecure and should NOT be used. See this question for more information.
You can access an element in the $_GET array as many times as you like, it will not cause problems. However if you are printing an element of the $_GET array (or any other user submitted data) to the page, you should run it through htmlspecialchars() or the like before printing it out to prevent XSS vulnerabilities.
using a variable is a preference for you to decide it does not matter. but variable is the way forward if you use the same one multiple times.
<?php echo htmlspecialchars($_GET['a']);?>
using a variable means that it reusable again especially if you have added extra code, which mean just editing one variable for all instances.
<?php $a = htmlspecialchars($_GET['a']);
echo $a;
echo $a;
echo $a;
echo $a;
?>
I noticed that in PHP extract(some_function()); will work just like:
$stuff = some_function();
extract($stuff);
But in the PHP's documentation the extract function argument has the & thingy in front, and from what I know that means you have to pass a variable to it.
If the documentation was right, this would produce a strict standards message:
PHP Strict standards: Only variables should be passed by reference
So I think you just found a bug in the documentation. Congratulations.
EDIT
It still doesn't complain if you use it with EXTR_REFS as a second argument:
~❯ php -a
Interactive shell
php > function a(){return array('pwet'=> 42);}
php > extract(a(), EXTR_REFS);
php > echo $pwet;
42
Which is strange because referencing variables defined inside a function doesn't make much sense to me. I think the & might have been introduced because of this option, but appears only in the doc and is not enforced in the code.
EDIT
It seems I'm right, I found this comment in ext/standard/array.c (branches 5.3 and 5.4):
/* var_array is passed by ref for the needs of EXTR_REFS (needs to
* work on the original array to create refs to its members)
* simulate pass_by_value if EXTR_REFS is not used */
The ampersand passes a variable by reference so that when it is used in a function, you are manipulating the original object -- not a new variable with the same value. The documentation is telling you that if you pass a variable to the extract function, then the original object can be updated in some fashion by that function.
So, the answer is yes, you need to pass a variable to that function.
The reason $var_array parameter of the extract function is passed by reference (most likely) is from a holdover from older versions of PHP. Newer versions automatically pass arrays by reference.
The extract function creates a variable list from the contents of a (potentially large) array and it is not recommended that data of that type be passed by value.
Long story short, assign your array to a variable and pass it in that way.
I'm wondering if there is a quick and easy function to clean get variables in my url, before I work with them.( or $_POST come to think of it... )
I suppose I could use a regex to replace non-permitted characters, but I'm interested to hear what people use for this sort of thing?
The concept of cleaning input never made much sense to me. It's based on the assumption that some kinds of input are dangerous, but in reality there is no such thing as dangerous input; Just code that handles input wrongly.
The culprit of it is that if you embed a variable inside some kind of string (code), which is then evaluated by any kind of interpreter, you must ensure that the variable is properly escaped. For example, if you embed a string in a SQL-statement, then you must quote and escape certain characters in this string. If you embed values in a URL, then you must escape it with urlencode. If you embed a string within a HTML document, then you must escape with htmlspecialchars. And so on and so forth.
Trying to "clean" data up front is a doomed strategy, because you can't know - at that point - which context the data is going to be used in. The infamous magic_quotes anti-feature of PHP, is a prime example of this misguided idea.
I use the PHP input filters and the function urlencode.
Regular expressions can be helpful, and also PHP 5.2.0 introduced a whole filter extension devoted to filtering input variables in different ways.
It's hard to recommend a single solution, because the nature of input variables is so... variable. :-)
I use the below method to sanitize input for MYSQL database use. To summarize, iterate through the $_POST or $_GET array via foreach, and pass each $_POST or $_GET through the DBSafe function to clean it up. The DBSafe could easily be modified for other uses of the data variables (e.g. HTML output etc..).
// Iterate POST array, pass each to DBSafe function to clean up data
foreach ($_POST as $key => $PostVal) {
// Convert POST Vars into regular vars
$$key=DBSafe($PostVal);
// Use above statement to leave POST or GET array intact, and use new individual vars
// OR, use below to update POST or GET array vars
// Update POST vars
$_POST[$key]=DBSafe($PostVal);
}
function DBSafe($InputVal) {
// Returns MySQL safe values for DB update. unquoted numeric values; NULL for empty input; escaped, 'single-quoted' string-values;
if (is_numeric($InputVal)) {
return $InputVal;
} else {
// escape_string may not be necessary depending on server PHP and MySQL (i.e. magic_quotes) setup. Uncomment below if needed.
// $InputVal=mysql_escape_string($InputVal);
$InputVal=(!$InputVal?'NULL':"'$InputVal'");
return $InputVal;
}
}