Is it safe to use $_GET in PHP? (Parameter in URL)

Asked

Viewed 2,278 times

6

In the old days it was very common to visit web pages and see on URL the parameters being passed right there, on the website of php.net it shows that it is already obsolete, there are sites like Facebook, land etc, which keep passing parameters in the URL.

My question is: It is still safe to use parameters in the url?

If not, then because it is still used on sites "famous"?

Example:

https://www.facebook.com/r.php?placement=pflo&campaign_id=402047449186&extra_1=not-admgr-user

Edit

As noted well, the $_GET nay is obsolete.

  • 4

    The $_GET is not obsolete, is the variable $HTTP_GET_VARS who is!

  • 3

    As @Oeslei reported it is not $_GET that this obsolete is $HTTP_GET_VARS. $HTTP_GET_VARS contains the same information initially, but is not a superglobal. (Note that $HTTP_GET_VARS and $_GET are different variables and that PHP handles them differently)

5 answers

7


DEPENDS! Just to complete the cake recipe, we have not only the GET, but the POST as well.

The GET and POST methods have different purposes. According to HTTP, GET serves to take resources from a server securely (without changing anything there) and POST to send information to it.

But why do we use GET to send parameters? In cases of searches, such as Google, profiles and photos on Facebook, etc., it is common to see the parameters in the URL, because this way, we can copy and pass to other people, without them having to follow all the steps you did until you reached the desired resource. Look (!), these are situations where the PARAMETERS are not critical (security), there is no need to hide. In case of LOGIN, PASSWORD, CREDIT CARD NUMBER, among other information, it is not cool to run with it there and here in the URLS, anyone can come and see! For this type of personal/personal information, we use the POST, which sends the parameters in the body of the HTTP request.

So, just to conclude: the GET method is safe yes, as long as it is used correctly, within its scope of use.

4

GET / POST are methods to receive information, the GET method has never ceased to be safe, only that many people use to do sql injection, only that the SQL injection employee with any method of receiving parameters and who should care is the developer.

GET/POST are ways to send information, then there is no difference of security between them, except the fact that the user can more easily manipulate the parameter passed to his script.

About the sites you say, I believe they do not use but GET because they must be making use of Friendly URL’s (that still receive the parameters by GET, and only change the way they are sent. They go without the "? parametro1=value1&parametro2=value2", usually go like "/parametro1/value1/parametro2/value2"), this helps to maintain semantics and is better for Index the contents for the Web Crawlers.

NOTE: $_GET is not obsolete.

About the $_GET he is not obsolete in php.net, what this obsolete is the $HTTP_GET_VARS. It contains the same information initially, but it is not a superglobal. (Note that $HTTP_GET_VARS and $_GET are different variables and that PHP handles them differently)

  • the sites I have listed do not use friendly url, the url is showing the parameters example: https://www.facebook.com/r.php?placement=pflo&campaign_id=402047449186&extra_1=not-admgr-user or if they use not this standard...

  • Sorry, I got it wrong but the answer is still worth taking the part of url friendly.

  • 1

    When we talk about GET, we are talking about HTTP. User-friendly URL is an application. We can use both GET and POST friendly Urls.

4

Note: According to the documentation, $_GET is not obsolete, what is actually obsolete is the $HTTP_GET_VARS.


Using parameters per URL is necessary in several cases and it facilitates in the user experience when favoriting a particular URL with a parameter for example.

The problem is safety in use directly $_GET. How is he the input easier to be manipulated by the user, many security loopholes are exploited through it.

To prevent this from happening, we should always validate the external contents of our application, this includes the variables passed by GET, POST, etc..

In PHP we can use filter_input() to validate this entry:

<?php

$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);

The list of filters supported by PHP can be found hereen.

2

Introducing

The purpose of this answer is just to clarify and put things on track.
Regarding the processing of data to make a request or sending data secure, the 4 existing answers, up to the date of publication of this reply, are enough to understand the basics on sanitization, filtering and validation of data, so let’s start to unravel the subject:

The global PHP variable, $_GET

This global variable is used to rescue data received by the GET method.
Simple as that, there’s not much to say.

Handbook: http://php.net/manual/en/reserved.variables.get.php

HTTP data sending methods

This is a subject that has nothing to do with PHP.
HTTP is a protocol used to transfer "hypertext" (Hypertext Transfer Protocol). General information on Wikipedia: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

Therefore, the HTTP protocol is one thing and $_GET is a PHP resource.

A request by the GET method does not necessarily need to have parameters. An example, when entering the following address in a browser: /, will already be sending a request by the GET method. This is the standard method of sending data.

What is safe to send by GET method?

It is recommended to send only data non-sensitive. Sensitive data, private information such as passwords, credit card, login, etc.

The reason for not sending sensitive data through the GET method is because it is visibly very easy for anyone to obtain such data, even offline, as Urls are typically cached on the user’s device.

However, even the POST method should not send sensitive data without encryption.

Summarizing, in general, there is no problem in sending data by the GET or POST method or other rest methods.

It’s not GET’s fault

Part of the problem is the sloppy way people pass on information, in order to summarize a subject, they end up teaching in an inappropriate way. For example, the question you asked is meaningless. But I believe it is due to a subject that was addressed in the other answers, which is the processing and validation of the received data.

Validation of data by both GET and POST, if not done well, can lead to serious security issues.

Sending the data itself is not a problem because that is the HTTP protocol. What will affect the security or the correct functioning of the system you receive, that is, the responsibility of what will be done with the received data is entirely of the system that receives the data. It is also valid to point out that depending on the type of data being received, who sends also has responsibility, see what I mentioned above about sensitive data.

The HTTP protocol itself is just a road through which data flows.

0

In my opinion, it depends on the kind of information you’re going to expose there. If it’s just a setup, or a code that doesn’t get you anywhere, I don’t see a problem. Probably this type of parameter is what you still see on Facebook, for example. But the ideal, and most elegant, would be to expose nothing and go through everything internally. Why is this type of code still there? Probably because it is legacy code, and it works.

  • Configuration, I think risky. The user can change it and crash the application, or at least invalidate the functionality.

  • I agree, Caíque, if you do not treat right, can give problems. But I meant more in the sense of insider even

Browser other questions tagged

You are not signed in. Login or sign up in order to post.