Reputation: 1033
$_POST and $_GET variables security without database
If you were not using a database with your application, but you do 'echo' or use a $_POST or $_GET variable in your code, do we need to escape them?
Like:
if(isset($_GET['test']){
echo $_GET['test'];
}
or
function math(){
if(isset($_GET['number'],$_GET['numberr']){
return $_GET['number']*$_GET['numberr'];
}
return null;
}
Upvotes: 3
Views: 162
Answers (2)
Reputation: 8659
Even if you use a database you need to escape or sanitize them before printing. Someone could sneak in stray HTML like <b> that will make your whole page bold, or <script>alert('hello');</script> that will run Javascript.
echo htmlspecialchars($_GET['test']);
This will replace all your < with < and > with > so that the HTML will be treated as text rather than HTML and will not mess up your page.
Upvotes: 3
Reputation:
You should escape them. Also you should use regual expressions to limit the variable content, and to prevent "unintended" characters.
EDIT: Sry to post this as an answer, i am currently not allowed to comment to questions.
Upvotes: 0
Related Questions
- PHP $_GET security, $_POST security best practice
- PHP Security - GET Variables, URL safe?
- Passing and protecting $_GET[] variables from one server to another
- Secure $_GET & mysql usage?
- How to add security while using GET and POST method?
- Processing $_POST[] and $_GET[] variables
- $_POST, $_GET and Security
- How to use $_GET securely?
- How can I secure my $_GETs in PHP?
- php5 security - get/post parameters