PHP secure $_GET parameter

Question

I just wanted to ask a quick question about $_GET parameteres in php and the security of them. Although my get parameter is not visibily shown, it is in my url. I just wondered is there any extra steps I can take to make it even more secure?

I have a $_GET variable named page that determines what page their on, and its got a reqrite rule to check for the first word after slash

I know before you should use mysql_real_escape_string but that is now deprecated and will be removed in the future?? And updated way..

Example: http://example.com/pagehere

Would be passed as... http://example.com/index.php?page=pagehere

location / {
        rewrite ^/(|/)$ /index.php?page=$1;
        rewrite ^/([a-zA-Z0-9_-]+)(|/)$ /index.php?page=$1;
        rewrite ^/(.*)\.htm$ /$1.php;
    }

Answer 1

Just keep in mind that any incoming data from the user-end is not safe ever, so always take necessary steps to ensure it won't cause any problems in your system, as far as DB queries are concerned, ALWAYS use PHP PDO class to do your DB related tasks, using Prepared statements will nullify any SQL injection attacks, read more about prepared statements here - http://php.net/manual/en/pdo.prepared-statements.php

Using GET variables is not an issue if you handle it properly, when you read the data from $_GET you can use htmlspecialchars() to clean the data of any malicious code. Some useful information here - https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

More information on how to use PDO to prevent SQL injection - How can I prevent SQL injection in PHP?

Answer 2

What is the parameter going to be used for? You should use filter input functions. If it's going to be used to query a databse, also use prepared statements. See http://php.net/manual/en/function.filter-input.php and http://php.net/manual/en/pdo.prepared-statements.php. Basically you need to sanitize the query string otherwise you leave the door open for possible exploits (server side inclusion attacks, sql injection, etc).