Is there a way to access HTTP GET variables in PHP without using $_GET or $_REQUEST? I'm asking because I know that $_POST isn't populated if the POST isn't sent through a form and I want to make sure that using $_GET doesn't have similar problems.
Sure, $_SERVER['QUERY_STRING'] contains the raw foo=bar&baz=qux type string, which you can pull apart with parse_str() and the like. But why would you want to? You'd just be replicating work that PHP has already done for you.
You can also use the filter_input() function:
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
Related
After user submitted form post, I'm essentially doing this:
Sanitize JSON with php
to sanitize my json_decoded input.
json_decode creates an object which I pass to custom class method:
$body = json_decode($_POST['body']);
$form_id = $_POST['form_id'];
$errors = $this->validate_form( $form_id, $body, $options );
In $this->validate_form, I immediately do validation similarly to solutions in link above.
Is there a security gap in assigning decoded json, form_id to variables at runtime, and then passing these values through to custom method, even if the first thing done with them after is sanitizing?
I.e. is there some exploit, like a fancy json encoded 'call_user_func' etc that can be implemented here, just by simply passing values/storing run time values?
edit: (also just to clarify, i'm not doing anything obviously terrible after like call_user_func($form_id);
)
No, there's no security problem. PHP never executes data on its own when you assign variables, you have to call functions that interpret the data in a way that requires executing it. json_decode() doesn't do anything like that, it just transforms the data statically from one format to another.
Some examples of dangerous operations are eval() (it executes arbitrary code), call_user_func() (where the function name comes from user input), extract() (it creates variables from the array), and inserting parameters into SQL query strings (use parametrized queries to prevent SQL-injection). You can also run into XSS problems if you include user input in HTML output without sanitizing or encoding it.
Pls am new to programming
Pls sir I have being seeing this in many php files .php?id=3
But I don't understand how it works or how to put it in my code,
This is called the query string, it's a way of passing parameters to your page.
You can access them in the php using the $_GET superglobal like so:
var_dump( $_GET['id'] );
Tips for using query string variables:
Check it is set before trying to use it: isset($_GET['id']) because you can't be sure it will be there.
This is "user input" and so you should not trust it implicitly. Whatever you do with user input you should use the appropriate security mechanism to sanitize it to prevent vulnerabilities.
If you generate a link with dynamic query string variables then be sure to use URL encoding/Percent encoding which can be done with urlencode().
What is the difference between
Input::get('value')
and this:
$_GET['value']
and when is better to use one of them?
The first line of code
input::get('value')
is some framework (perhaps Laravel 4.2) wrapper around PHP GET variables like the second line of code
$_GET['value']
which is a PHP superglobal containing the same data but in plain vanilla PHP.
So the difference is more or less syntactical, e.g. how you prefix, write the name and the parenthesis:
Prefix Name Parenthesis
-none- "input::get" ()
"$" "_GET" []
Next to syntactical differences, the first one is a function call while the other one reads a variable.
A function call allows to interact more, e.g. the framework can inject code to provide extra functionality in the "read" operation (returning/getting a value), like allowing to specify a default value if an input is not set, which plain vanilla PHP didn't support that well in the past (I think there will be an improvement on this in PHP 7 but can't find the RFC right now).
It's not that PHP can't deal with default values for non-existent GET variable entries, it's just some little boilerplate:
$value = isset($_GET['value']) ? $_GET['value'] : null;
Input::get() is a function from Laravel
$email = Input::get('email');
Note: The "get" method is used for all request types (GET, POST, PUT,
and DELETE), not just GET requests.
Retrieve all input from the input array:
$array = Input::get();
Retrieve all input including the $_FILES array:
$input = Input::all();
And $_GET is superglobal variable in PHP used to get parameters from
querystring .
$_GET is PHP builtin variable.
It is global static variable and has several bad qualities, especially for testing. Laravel has introduced Input::get() instead so you can easily swap the implementation.
In Laravel there should be no reason to use $_GET and use Input::get() whenever possible.
So apparently, Input::get() is from Laravel just like what #hakre said.
$_GET['value'] will parse the URL if there is a set value in it.
For example we have a url http://www.example.com/index.php?myget=value
we can use $_GET['myget'] to fetch its value like so:
echo $_GET['myget'];
// this will print "value"
For example, if I want to use the code:
$foo = $_POST['foo']. $_GET['foo'];
to get a value whether passed by POST or GET, is this acceptable or bad practice?
Don't see anything in your answer which is to be unsetted, though you can use $_REQUEST['foo'], as that will consider $_POST as well as $_GET but again, your code will be dirty, say for example I tweaked the method value, for login form, users can easily attack your website...
So be wise, use $_GET[] and $_POST[] instead of using loose $_REQUEST[]
If for any means, you are using $_REQUEST thank make sure you use conditions to check whether the request is GET or POST using $_SERVER['REQUEST_METHOD']
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
//Do something
}
I would go with:
$foo = isset($_REQUEST['foo']) ? $_REQUEST['foo'] : null;
More at: http://php.net/manual/pt_BR/reserved.variables.request.php
to get value whether passeb by POS or GET use this
$foo = $_REQUEST['foo'];
If you configure your development server PHP to throw all warnings, you will find out.
why are you using . operator, if i am not wrong this would concatenate the result, as the above suggested using $_REQUEST would be the better approach.
Yes, it's terrible. There are two problems:
It will raise a warning
Concatenation is not suited for this use case
If you want to get a key from either $_POST, or $_GET, and you don't care which one the key is present in, you can use the $_REQUEST superglobal with the following idiom:
$var = isset($_REQUEST['foo']) ? $_REQUEST['foo'] : null;
$_REQUEST is the union of $_GET and $_POST.
I have a page that does a re-direct as such, following the guidelines from this SO Post.
header("Location: http://www.fivefoo.com?uid=johnny");
die();
This small php file is located here in index.php of course.
http://www.fivefoo.com/johnny
What I did was just add on a query to the re-direct
?uid=johnny.
First and main question. Am I allowed to to do this?
Secondly, where do I retrieve the query values. My guess, would be the $_GET global.
Yes you are allowed to do this (why shouldn't you be?)
Yes, you can get the query values from the $_GET superglobal array. More specifically, $_GET['uid'] will contain the text 'johnny' (without the quotes of course).
Yes, you can do this.
Yes, the $_GET is used for this, so $_GET['uid'] in your example would return 'johnny'.
More info here