Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP Variable Verification

Making My Site More Secure

6:05 pm on Jun 24, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 25, 2003
votes: 0

Hi everyone.

It has been a while since I have been on these forums, it feels good to be back :)

Currently I am working for a company and I have their site up and running. I do have a major security issue though that I need to resolve immediatly.

The problem I am having is I have no verification of variables sent from page to page. For example if someone clicks on a link which leads to a product category the addressbar reads details.php?catid=5. Now if they were to go and change the address bar to details.php?catid=5;drop database DBNAME; then that would pose a big security risk for me.

I don't know much on this subject so I need some help on how I could make sure this security risk can be resolved. Another thing which I might as well ask is...... I hear having less php code in the address bar and more of a description of what you are offering is good for search engines. Basically instead of having products.php?product_id=5 having products/networking/linksysrouter/ is best for SEO.

I plan on changing my site to scrap the PHP code, but what I'm wondering is if it would be best to just do it now, while I am doing the changes for the variable verification.

Thanks everyone for your help on this matter :)


3:45 am on June 25, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 3, 2004
votes: 0

You should work with Globals=off in your php config file.
Then no user (hacker) variables are passed directly to your script.

You must ask for each one you want with ($action=$HTTP_GET_VARS["action"];)

1:43 pm on June 25, 2004 (gmt 0)

Full Member

10+ Year Member

joined:May 29, 2003
votes: 0

Turninf globals off wouldn't help in this instance. You need to check that the value of the parameter passed is indeed what you expect. In this case you are expecting a number so you can do

if (is_int($_GET['id'])) {
} else {

which would default all random stuff to id 1. If you want to be slightly fuzzier you could do something like


if (empty($id)) {

which has the same affect but will also convert "5; drop table blah" into 5.

Hope that helps.

2:29 pm on June 25, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 25, 2003
votes: 0

OK Great thanks for your posts :)

I do have register globals off and I don't plan on turning it on.

What about converting the address bar php code to something more presentable. Which would also be better for SEO.


4:11 pm on June 25, 2004 (gmt 0)


WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
votes: 0

that would require this
An Introduction to Redirecting URLs on an Apache Server [webmasterworld.com]

that can get you started with mod_rewrite


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members