Reputation: 385
Is it unsafe to use query strings in the url?
Our PM has ordered us to implement security for a site we've been working on.
To display product details, I make use of query strings.
My URL looks like www.domain.com?index.php&product id=1&product-type-id=4
My colleague argued that this is unsafe, and that we should hide that information from the URL. They suggested that we use a session instead.
In my opinion, nothing is unsafe about the use of query strings as long as I do server side validation, pass the active user id to my query to make sure people can only access their products.
What vulnerabilities could a URL like this cause:
www.domain.com?index.php&product id=1&product-type-id=4
Upvotes: 1
Views: 1428
Answers (2)
Reputation: 21
The security problem isn't tied to the query string. The difference between get and post are just at the protocol level and either can be forged.
The security issue comes up when you don't properly validate variables and escape them as needed.
Never trust user input. Always validate it.
Upvotes: 2
Reputation: 2595
When deciding between $_POST and $_GET ask yourself this: Is there any reason the user shouldn't be able to see this? Using $_GET also allows the user to bookmark or share the url, so for a product page like this I would 100% recommend continue to use it in this way. $_GET is not inherently unsafe as long as you are sanitizing anything you receive from it. They both exist for a reason and have their uses.
Upvotes: 3
Related Questions
- Is $_SERVER['QUERY_STRING'] safe from XSS?
- PHP Security - GET Variables, URL safe?
- How to properly secure query strings that are being sent to server?
- How to improve security with text in a url parameter : .php?parameter=text
- PHP URL manipulation security issue
- Are URL variables safe
- Is this code vulnerable to hacker attack?
- php security should I hide query string in url
- How to secure query strings in php ?
- query string in php