get - PHP safe $_GET or not

Question

Welcome To Ask or Share your Answers For Others

get - PHP safe $_GET or not

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

get - PHP safe $_GET or not

We have url:

http://site.com/index.php?action=show

$_GET['action'] is used in templates to check value of ?action=:

switch ($_GET['action']) {
    case = "show" {
        $match_show = true;
    }
}

and in other place:

echo $_GET['action'];

Is it absolutely safe to use this constructions?

How to make them safe?

Thanks.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-10-23T20:00:55+0000

The switch thing is okay, because you are comparing against a hard-coded value (however, it's case "show": btw).

As @Bruce mentions in the comments, you should add a default: case as well to catch values that are not on the list, or empty values:

switch ($_GET['action']) {

    case "show":
        $match_show = true;
        break;

    default: 
        // value is not on the list. React accordingly.
        echo "Unknown value for 'action'". 

}

The second thing is potentially dangerous, as it would be possible to inject HTML and more importantly, JavaScript into the document body. You should apply a htmlspecialchars() on the variable before echoing it.

Categories

get - PHP safe $_GET or not

get - PHP safe $_GET or not

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags