PHP security in getting a parameter value

Question

I dont know much about PHP so forgive my ignorance. I am trying to have a parameter value entered in the Joomla admin area to append a string to my bootstrap container class to change the page from a fixed to a fluid layout.

I am retrieving the value like this...

$conType = $this->params->get('conType','');

and then simply setting it as follows...

class="container<?php echo "$conType"; ?>

However, I was worried (knowing very little about PHP) if this was a security problem since any value could be set as $conType - is that a problem? If so, would this work instead...?

$conType = (int) $this->params->get('conType','0');

if($conType == "1")
{
 $conType = "-fluid";
}
else
{
 $conType = ' ';
}

And then just echo it again. Is that necessary? is there a better way?

Answer 1

Yes, this would work and is secure.

If $conType can be any parameter, it is important to escape it against XSS by using htmlentities():

echo htmlentities($conType)

The way you did it is even better, although it costs more effort. ;-)

Just remember to use htmlentities in future if you need escaping of many parameters and not just one small customization. And as an advise, please inform yourself about php and security before continuing to develop php applications (if you are planning to). As a web developer (especially as php developer), you really should know about topics like "XSS", "SQL Injection" and "CSRF". :-)

[As an alternative to htmlentities, there is htmlspecialchars, which encodes less characters, see htmlentities() vs. htmlspecialchars() for a comparison]