Better Security $ _GET

Question

Better Security $ _GET

My PHP is very rusty. I have an md5 hash that is passed through get to script, and then I grab it like this:

$id = $_GET['id'];

Obviously, there is a security risk here ... I was thinking of checking the length of the string to make sure it is 32 characters long, but for me this does not seem very reliable. What else could I do to make it safer?

thank

+3

php

Mike rifgin Mar 11 '11 at 10:06

source share

7 answers

You can use preg_matchto see the presence of only alnum and 32 lengths.

+1

Akarun Mar 11 '11 at 10:09

source share

, . mysql , mysql_real_escape_string (php.net/mysql_real_escape_string). html- htmlentities (php.net/htmlentities) (php.net/filter)

+1

fabsn 11 . '11 10:11

PHP

0

akrisanov 11 . '11 10:11

- "" $_GET ['id'] var, , , , ...
() , sumbit check , , .
, , .

0

Poelinca Dorin 11 . '11 10:13

, >= PHP5.2. PHP5.3, , . filter .

/* prevent XSS. */
$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

0

Alfred 11 . '11 10:30

ctype-alnum:

if (strlen($id) == 32 && ctype_alnum($id)) exit('pass');
else exit('no');

0

nepgan 11 . '11 12:18

mdm · Accepted Answer · 2011-03-11T10:09:38+0000

You can check with a regular expression to make sure that it consists only of alphanumeric characters.

eg. something like this (my PHP is also rusty):

if(preg_match("/^[A-Fa-f0-9]{32}$/", $id) > 0) {
    // All good
}

Better Security $ _GET

More articles: