How secure is $_GET?

dominant

Is it $_GET enviroment variable secure enough?

devinemke

there is nothing inheirently insecure about $_GET or any other variable that is infused into your code from the outside. you need to consider what type of data would potenially be coming in and write code that validates it properly.

for example: if you want a certain $_GET variable to be only one of a preset number of choices, put all the choices into an array and make sure the variable passed is in_array() before proceeding.

Erkilite

i am note sure what you mean by secure so i am not sure if this helps any.

get or post are not secure as the information is sent in plain text between the server and the browser.

if you use https that would encrypt the information and make it more difficult to see what is being passed.

get is designed for scripts which you want people to be able to bookmark the url with all the get variables.

i.e. being able to bookmark a search result.

if you don't need/want people to be able to bookmark the url then use post.

Chris_Evans

get is designed for scripts which you want people to be able to bookmark the url with all the get variables

I would have to disagree with this. GET is used for a variety of purposes other than that one use above. Look at how it is used on this site for instance. At present, my url looks like:

http://www.phpbuilder.com/board/newreply.php?s=&action=newreply&threadid=10273907

You wouldn't bookmark this, it's just so users don't have to click buttons, use forms etc, but see neat and tidy links.

Any, by default, any information that you want to submit securely should indeed be sent via an https connection (SSL). Also, it's advisable to use md5 encryption for variables such as passwords, and all these should definately be passed on via $_POST[] as although not particularly secure, it saves information such as passwords etc being seen in the url by people peeping over others shoulders. 😉

Anyhow, use $GET[''] for simple tasks such as telling the script what to do, in one of my scripts I have script.php?a=delete&id=1 for example. Use $POST[''] to submit user information, such as the field that I'm currently writing, ha, this "post" 🙂 into.

MD5 encryption example:

$password = md5($password);

Now let's assume you wanted to perform a check against the password thats encrypted into the database and the password the user has submitted:

// Write the sql code here

// Now continue...
$submittedpassword = md5($_POST['password']);
if($submittedpassword == $password) {
                 // Code here
} else {
                // Die statement e.g.
                die("Sorry, wrong password.");
}

Ok, that was a very rough version, it could be improved against SQL Injection etc.

dominant

Is still there any pontent of SQL injection, or can any one inject php commands such exec(), etc?

laserlight

SQL injection doesnt necessarily depend on how the data is passed to the server.
It depends on how the server handles the data with respect to the database.

For something like:
script.php?a=delete&id=1
you will, of course, still have to check the privileges of the user.

MD5 is not an encryption algorithm, but a message digest algorithm that produces a 128 bit hash.
PHP's [man]md5/man function produces this hash in a hexadecimal string format.

As Chris_Evans mentioned, the reason why simply relying on hashing the password isnt as secure as using SSL is that the password hash is still sent in the clear.

Incidentally, you might want to consider using SHA1 hashes instead of MD5 hashes since [man]sha1/man is available on PHP 4.3.x, and produces hashes of 160 bits.

Chris_Evans

Hi there,
laserlight made a good point. My mistake, md5() isn't encryption. I always think of them as the same as it makes it simpler for me to remember, perhaps I should get out of that habbit. 😉