Secureing variables

gabriel

Can someone please show me an example of how to secure GET and POST variables so that someone couldn't use form spoofing or mess around with the GET variables in the url?

bodzan

Think of it this way:
Anyone can submit almost any kind of data both through the POST or GET variables, all you can do is check whether the type of the variable is like you need it to be i.e. if you need a number check it with is_numeric() and if you want it not to have html stuff in it parse it through htmlentities() and such...

There is a way to do this in every situation depending on your need, but rergardless anyone can still mess the incoming variables if they choose to. All you can do is prevent usage of such variables....

Weedpacket

The basic idea is to be paranoid. Anything can be shoved at you, so the only thing you can do is decide what you want to allow in and refuse everything that doesn't qualify.

PHPmill

Script security is always a lot of work with user accessible scripts. With admin scripts, you can just key them to a certain IP address and have a simple password. That will block 'em.

MarkR

You can't stop users from making unauthorised modifications to post and get variables - that is essentially what they're there for.

The user has full control over the contents of GET, POST, cookies, the URL etc. Your application must not rely on these values not being tampered with.

So by all means use them to store a selection, preference etc, but be sure to validate it before use.

Mark

Weedpacket

Originally posted by PHPmill
Script security is always a lot of work with user accessible scripts. With admin scripts, you can just key them to a certain IP address and have a simple password. That will block 'em.

Unless the admin is a bandmember on tour.

PHPmill

good point