Tips for Protecting Querystring Keys & Values in PHP
The easiest way to pass information to a page is by placing information in the URL. This, of course, is referred to as the querystring and the information in the querystring can be accessed by using $_GET['varname']. Simple, yes. Insecure, possibly. Here are some guidelines for managing querystring information.
Typecast Value when Expecting Numbers
When you're expecting an integer in the querystring, typecast the value before using it. This prevents string values from causing you problems.
$id = (int) $_GET['i'];
Build a basic function for each type of variable you are passing that you can use throughout your website. That ensures consistency and security.
Make Sure REGISTER_GLOBALS is Off
Stating the obvious of course, but having REGISTER_GLOBALS on is a major problem. Make sure it's turned off.
Don't Make Variable Names Meaningful
Lets just say that having a $_GET variable with the name of 'user_id' isn't a good thing. Change it to 'u' or something different.
<!-- no! --> <a href="/profile.php?user_id=<?php echo $user_id; ?>">Your Profile</a> <!-- yes! --> <a href="/profile.php?q=<?php echo $user_id; ?>">Your Profile</a>
Encrypt Querystring Values
If you need to pass sensitive information from page to page, use at least a basic encryption algorythym or an md5.
<a href="/profile.php?i=<?php echo dw_encrypt($user_id); ?>">Click here</a>