PHP Replacement for GET Method Link

Question

I apologize as this question may be too broad.

I have a table on my site that displays all users in a database. For each row in the database I create a link in the table that allows the corresponding user to be removed. I do this using http_build_query. The $qs array contains the variables I am sending to the next script.

echo 'Remove';

Once the link is clicked it runs the removal script. The script gets the correct row to remove using GET.

$name = $_GET['name'];
$code = $_GET['code'];
$branch = $_GET['branch'];
$email = $_GET['email'];

I have recently seen on here that a GET method really shouldnt be used to alter a db. My understanding is that this is for security reasons. The url never really gets displayed but if I go to my servers log you can obviously still see it

::1 - - [09/Aug/2019:13:16:42 -0500] "GET /php/remove-user.php?user=bob%40builder.net&name=Robert%20Builder&branch=5&officer=n%2Fa&type=Limited&alert=0 HTTP/1.1" 302 -

At the end of the removal script, the user is immediately redirected back to the page displaying the users table.

So my questions are the following:

1.) Does this pose a risk for my db/site?

2.) What are some alternatives I could use to make this more secure? If possible I would still want to be able to use the Remove link.

I will include any requested additional info in Edits.

Quentin · Accepted Answer

Does this pose a risk for my db/site?

There's nothing that appears to be a security risk there … but GET requests are supposed to be safe and people have been known to run precaching extensions (which would store the data from the URLs in the cache before visiting them … deleting everything as they went).

What are some alternatives I could use to make this more secure?

Using a form and a post request would do the job.

PHP Replacement for GET Method Link

Answers (1)

Related Questions