Should I remove all characters from $

T

Tema Ovchinnikov2017-05-02 03:29:48

PHP

Tema Ovchinnikov, 2017-05-02 03:29:48

Should I remove all characters from $_GET['submit']?

I am new to php. Tell me, do I need to process $_GET['submit'] ?
/index.php?search=yes&submit=Найти
the check for emptiness works, isset();but when I remove all unnecessary characters, the check always returns yes, even if submit, but it removes unnecessary characters.

http://cmsreplay.ru/index.php?search=<h1>hi<%2Fh1>&submit='] ?> <?php echo 'hello'; ?>/*

<form action="index.php" method="get">
      <input type="search" name="search" placeholder="Поиск...">
      <br>
      <input type="submit" name="submit" value="Найти">
    </form>
    <?php
      if(isset($_GET['submit']))
      {
        $search = preg_replace("/[^a-z0-9]/i", "", $_GET['search']);
        echo $search;
        echo 'yes';
      }

      else
      {
        echo 'no';
      }
    ?>

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Arman, 2017-05-02
@TemaTM

<?php
if (isset($_GET['submit']) && ($search = preg_replace("/[^a-z0-9]/i", "", $_GET['search']))) {
    echo $search;
    echo 'yes';
} else {
    echo 'no';
}
?>

In general, htmlspecialchars is sufficient for safe browser output .