Re: newbie.. $_GET & $_POST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pablo D Marotta wrote:
> Hi there..
> I need to pass variables to a page through an html link.
> I do it like this:
>
> <A href="Extra/excelListing3.php?buildQuery=<?php echo $buildQuery
> ?>">Export</A>
>
> where 'buildQuery' is the variable I´m passing.
>
> In the destination page, I capture it with $_GET and that´s it.
>
> I want to know if there is any way of doing it without showing the
> variables in
> the direction bar.

You could convert that to a POST quite easily:
<FORM ACTION="Extra/excelListing3.php" METHOD="POST">
  <INPUT TYPE="HIDDEN" NAME="buildQuery" VALUE="<?php echo $buildQuery?>">
  <INPUT TYPE="SUBMIT" VALUE="Export">
</FORM>

NOTES:
This is only nominally "more secure" than the GET argument version.
Anybody with half a clue (okay a tenth of a clue) can use "View Source" in
their browser to see your query.

DEFINITELY follow Greg's advice and pass in *ONLY* the variables to your
query, and go even further and check what comes in to be sure it "looks
like" what you expect.  For example, if you expect an integer, type-cast
the value you get to an integer.  If it should be positive, check that it
*IS* positive.  If there are only a limited number of valid values for a
given input, make sure it fits.

Examples:
<?php
  //A MySQL record id: (positive integer)
  $record_id = (int) isset($_POST['record_id']) ? $_POST['record_id'] : NULL;
  if (!$record_id || $record_id < 1){
    //Log the actual bogus input, so you can figure out what the
    //bad guy is trying to do.  Or what mistake you made sending the data.
    $invalid = @$_POST['record_id'];
    trigger_error("Invalid record ID: $invalid", E_USER_ERROR);
  }

  //A limited selection from radio/select/checkbox:
  $colors = array('red', 'blue', 'green');
  $color = isset($_POST['color']) ? $_POST['color'} : NULL;
  if (!in_array($color, $colors)){
    trigger_error("Invalid color: $color", E_USER_ERROR);
  }
?>
For text chunks, use http://php.net/preg to filter out anything except
what's a kosher character in what you expect people to type.
Also use http://php.net/strlen to see if it's a reasonable length.

For uploaded files, use the file-system 'file' command to see if it "looks
right"  For images, a simple http://php.net/getimagesize will be easier
than that, and about as good, maybe even better.

You CANNOT trust the data coming into your site from a browser.

Sooner or later somebody will decide to mess with you.

Protect yourself.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux