How to secure $_GET or $_POST from vulnerabilities in PHP

Hi, in this post I am sharing with you “How you can save your website or your project from vulnerabilities which can be caused using POST and GET variables. To explain it in detail you should know what is GET and what is POST.

$_GET :

The built-in $_GET function is used to collect values from a form sent with method=”get”.

Information sent from a form with the GET method is visible to everyone (it will be displayed in the browser’s address bar) and has limits on the amount of information to send (max. 100 characters).

You can read more details about $_GET here

$_POST

The built-in $_POST function is used to collect values from a form sent with method=”post”.

Information sent from a form with the POST method is invisible to others and has no limits on the amount of information to send.

Note: However, there is an 8 Mb max size for the POST method, by default (can be changed by setting the post_max_size in the php.ini file).

You can read more about $_POST here

Explanation

Whenever a person with bad intentions sends a data using get or post there is a chance he have the intention to perform SQL INJECTION or he might wants to corrupt your database or he just want to do random spamming.

To avoid from these situations I have made a function using $_POST which helps the data to get proper before it can be inserted into database.

function.php

{code type=codetype}

function Postvalue($x)

{

$x = $_POST[$x];

$x = str_replace(“‘”,”'”,$x);

$x = str_replace(“<“,””,$x);

$x = str_replace(“>”,””,$x);

$x = htmlentities($x, ENT_QUOTES); //ENT_QUOTES – Decodes double and single quotes

return $x;

}

{/code}

Alternatively you can also use the function htmlspecialchars()

htmlspecialchars()

The htmlspecialchars() function converts some predefined characters to HTML entities.

The predefined characters are:

  • & (ampersand) becomes &amp;
  • ” (double quote) becomes &quot;
  • ‘ (single quote) becomes &#039;
  • < (less than) becomes &lt;
  • > (greater than) becomes &gt;

Syntax

{code type=codetype}

htmlspecialchars(string,quotestyle);

{/code}

You can read more about htmlspecialchars() here

Keep reading my post and dont forget to share it with your friends.

8 Comments+ Add Comment

  • Nice buddy keep it up 🙂
    Rocky recently posted…20 Fantastic Examples of Super Mario Inspired ArtworkMy Profile

  • great post buddy keep it up
    Rocky recently posted…20 Fantastic Examples of Super Mario Inspired ArtworkMy Profile

  • […] more here: How to secure $_GET or $_POST from vulnerabilities in PHP | My PHP … code, […]

  • don’t become anything because you’re replacing it with an empty string before applying htmlentities().

    If ENT_QUOTES coverts single quotes, then why bother using str_replace() in first place?
    Nico recently posted…Client-side password hashing before log-inMy Profile

  • OMG what is this crap!? You recommend a custom htmlentities funciton for what – safely inserting stuff into the database?! That’s what escaping and parameterized SQL are for.
    Tutorials like these are the reason so many insecure PHP applications exist.

    And where did you get the 100 character limit for GET from?

    • Hi mario,
      Thanks for comment. Its a basic tutorial for noobs, smart guys knows how to handle such issues properly.
      And for the case of character limit in $_GET you can get the details on w3schools.com Here is the link
      http://www.w3schools.com/PHP/php_get.asp


  • mario:

    Tutorials like these are the reason so many insecure PHP applications exist.

    Casually landed on this post, i think mario is right: generally speaking, security is a complex thing and simplify by saying “replace some html entities and you are protected” is dangerous (especially after mentioning sql injection!! and especially for noobs!!).

  • Hi,
    I just came by this article and was trying to apply these codes but I saw the comments that the article has got. Ok so just replacing the HTML Entities are not good according to many people over here so what is the correct way to do these things. Could anyone specify that, so that we get to learn something really meaningful. I would request the readers to please also provide a solution if there is anything wrong with the article so that newbies like us can learn them and apply them to get some good knowledge from professionals.

    Regards