security question - protecting querystring variables/values

andrewpasetti

There was a point mentioned in the manual about not letting the users know the variable names and values. I've posted it below. Can someone please suggest a solution to this problem -- masking the querystring variables/values?

Thanks,

Andrew Pasetti

---snippet from the php manual --

With the register global turned off, you can use the $GET, $POST, $COOKIE, $SERVER, $ENV, $REQUEST or $SESSION. If you use the hyperlink, like "<a href='next_page.php?menu=1&submenu=1'>Next</a>". This defeated the security purpose and allow the hacker to know the terms like "menu" or "submenu".

the_Igel

If you set register_globals off, there's next to no security risks in haxOrs kowing your variable names, as they have no chance to pass them in your script.

Anyway, you should carefully check ALL the values from outside, and if you code your scripts properly, knowing variable names and passing some fake values shouldn't do any harm.

IMO, any value that is passed through query string, is meant to be set to any incredible value one can imagine, and nice handling of all unsuspected parameters is rather nice & useful feature. One may experiment with query string as much as he/she likes, and it's my work to take care of it.
Hiding isn't the way of security, checking is.