Do I need to process data from GET requests somehow?

D

Dreaded2018-05-16 13:56:37

PHP

Dreaded, 2018-05-16 13:56:37

I'm currently learning PHP and doing a study project. And so I thought about whether it is necessary to somehow process the data that I receive from the user in the form of a GET request?
A banal example: if in a GET request the user enters other data instead of the numerical value "?id=", can this lead to an XSS attack? Do I need to check this data? And if so, how?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

O

OnYourLips, 2018-05-16
@OnYourLips

There is no need to process this data in advance.
It is necessary at the place of application of these data to simply apply them correctly. And depending on this application - in different ways.

I

ipokos, 2018-05-16
@ipokos

do I need to somehow process the data that I receive from the user in the form of a GET request

Yes. and POST too. And in general, everything that a user can send or do needs to be checked.
- You do checks on the client if possible (so as not to pull the database and everything else once again if the user stuffed something wrong)
- checks on the server, because request can be sent without client.
What exactly to check depends on what you expect.
if you are waiting for id and it can only be a number, you check for a number or cast to it
... etc.
Clean up trash as an option

trim(stripslashes(htmlspecialchars( $yourVarible )));

S

Sergey Sokolov, 2018-05-16
@sergiks

Whether you need to do something with the input data depends on what you do with it next.
Are you inserting a SQL query string directly into the assembly? (DO NOT do this!)
Are you showing the user in the body of the page? (Need to filter)
There are ready-made functions for validating and filtering input data:
filter_input()
For example:

$query = filter_input(
  INPUT_GET,
  'q',
  FILTER_SANITIZE_STRING,
  FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_STRIP_BACKTICK
);

See Purifying Filters for details .