Hi, in this post I am sharing with you “How you can save your website or your project from vulnerabilities which can be caused using POST and GET variables. To explain it in detail you should know what is GET and what is POST.
The built-in $_GET function is used to collect values from a form sent with method=”get”.
Information sent from a form with the GET method is visible to everyone (it will be displayed in the browser’s address bar) and has limits on the amount of information to send (max. 100 characters).
You can read more details about $_GET here
The built-in $_POST function is used to collect values from a form sent with method=”post”.
Information sent from a form with the POST method is invisible to others and has no limits on the amount of information to send.
Note: However, there is an 8 Mb max size for the POST method, by default (can be changed by setting the post_max_size in the php.ini file).
You can read more about $_POST here
Whenever a person with bad intentions sends a data using get or post there is a chance he have the intention to perform SQL INJECTION or he might wants to corrupt your database or he just want to do random spamming.
To avoid from these situations I have made a function using $_POST which helps the data to get proper before it can be inserted into database.
$x = $_POST[$x];
$x = str_replace(“‘”,”'”,$x);
$x = str_replace(“<“,””,$x);
$x = str_replace(“>”,””,$x);
$x = htmlentities($x, ENT_QUOTES); //ENT_QUOTES – Decodes double and single quotes
Alternatively you can also use the function htmlspecialchars()
The htmlspecialchars() function converts some predefined characters to HTML entities.
The predefined characters are:
- & (ampersand) becomes &
- ” (double quote) becomes "
- ‘ (single quote) becomes '
- < (less than) becomes <
- > (greater than) becomes >
You can read more about htmlspecialchars() here
Keep reading my post and dont forget to share it with your friends.