$_GET php security

Question

Do coding this way pose any security risks?

$test = $_GET['test'];
if($test) { 
$sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'");
$row ...
}

Answer 1

$test = $_GET['test']; if($test) { $sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'"); $row ... }

---

if your $_GET is number same id can use

if(!is_numeric($test)){"echo "not numeric " ; } else { your code }

if your $_GET string you can use

function security ($test) { $test = str_replace ("""" , "" ,$test ); $test = str_replace ("<" , "" ,$test ); $test = str_replace (">" , "" ,$test ); $test = str_replace ("//" , "" ,$test ); $test = str_replace ("\" , "" ,$test ); $test = str_replace ("''" , "" ,$test ); $test = str_replace ("%" , "" ,$test ); $test = str_replace ("^" , "" ,$test ); $test = str_replace ("or" , "" ,$test ); $test = str_replace ("&" , "" ,$test ); $test = str_replace ("and" , "",$test );

return $test ; }

$test = security($test);
$sql = mysql_query("SELECT * FROM tbl WHERE col2 = 'ABC'");
$numrow = mysql_num_rows($sql);

if($numrow==0) { echo "error post" ; }
else { your code }

Answer 2

$_GET[ "" ] is already escaped depending on your version if you are requiring to use it in a mysql query, read [5.3 deprecrated] http://www.php.net/manual/en/function.set-magic-quotes-runtime.php to find out more about how quotes are escaped.

also depending on your error_reporting function you might want to do a

if(
   isset($_GET['test']) &&
   $_GET['test']!=''
){
   $test=$_GET['test'];

   #...
}

Answer 3

Only if the $_GET variable your testing for gives the user some sort of secret information from the database. But as the others have said this way your not open to SQL injection.

But without more information it's a bit hard to comment on the security of the script. As Security encompasses a large field and we are only able to comment on the code you gave us.

Answer 4

No, The code above does not have any security hole since you are not using the GET variable in any mysql query.

Look here for other security concerns

Answer 5

As long as you don't really mind if $test is true or false (and therefore if the code runs or not) then no there's no security risk to just testing the value.

Answer 6

Not nescesairily. But you provide too little to be sure. In general there are problems when you insert data from $_GET or $_POST into your sql (SQL Injection). This gives errors when people will start putting SQL code in the $_GET or $_POST, this is not the case right now.

For further reading, there are few lengthy volumes to get you up to speed on XSS and security:

• http://phpsec.org/projects/guide/
• http://php.robm.me.uk/
• https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Answer 7

No, you're only using $_GET to evaluate if the variable is true or false.

If you were to use it, unescaped, in your query just or even just echo it for the user, it would.