Get & Post Methods: How to & why.
The GET method is used to collect values from a form.
Get method example :
CODE
<form action="signin.php" method="get">
First Name: <input type="text" name="Fname" />
Last Name: <input type="text" name="Lname" />
<input type="submit" />
</form>
Once the submit button is pressed by the user, the form will collect the values & send them along with the url.
You'll end up with something like this:
QUOTE
The signin page will actually "Get" the values from the url.
Since the information sent from a form with the GET method will be displayed in the browser's address bar, it is visible to everyone.
It also has limits on the amount of information to send. Its max is 100 characters.
The $_GET variable is an array of variable names and values sent by the HTTP GET method.
Using our example from above, $_GET would contain the following:
CODE
<?php
if(isset($_GET['Fname'])) {
$Fname=$_GET['Fname'];
}
else {
echo "Fname was not set in the form\n";
}
if(isset($_GET['Fname'])) {
$Fname=$_GET['Fname'];
}
else {
echo "Fname was not set in the form\n";
}
?>
The Post method is used to send values from a form.
Post method example :
CODE
<form action="signin.php" method="post">
First Name: <input type="text" name="Fname" />
Last Name: <input type="text" name="Lname" />
<input type="submit" />
</form>
Once the submit button is pressed by the user, the form will collect the values & send them invisible to others.
As well, the Post method has no limits on the amount of information to send.
In our example above, the signin page will actually have the values posted, invisible to any user. The $_POST variable catches the form data,
& the values can be retrieved using the following:
CODE
<?php
if(isset($_POST['Fname'])) {
$Fname=$_POST['Fname'];
}
else {
echo "Fname was not set in the form\n";
}
if(isset($_POST['Lname'])) {
$Lname=$_POST['Lname'];
}
else {
echo "Lname was not set in the form\n";
}
?>
Security:
It is important to note that you never want to directly work with the $_GET & $_POST values. Always send their value to a
local variable, & work with it there. There are several security implications involved with the values when you directly access (or
output) $_GET & $_POST.
Security Tip 1: Strip the HTML & PHP content.
This can be done easily with the strip_tags() command. The strip_tags() command simply removes HTML and PHP tags from a string,
& returns only its true text value. The reason for this is simple. You don't want someone to input PHP code that will execute
when your script fires off. For example :
CODE
<?php
if(isset($_POST['Fname'])) {
$Fname=$_POST['Fname'];
}
else {
echo "Fname was not set in the form\n";
}
if(isset($_POST['Lname'])) {
$Lname=$_POST['Lname'];
}
else {
echo "Lname was not set in the form\n";
}
if(isset($Fname)) {
echo strip_tags($Fname) " was passed from the form\n";
}
?>
This works for most cases, but there are also ways of outputting the HTML code without allowing it to execute.
Security Tip 2: Don't trust the $_GET content
Rather than taking the user for their word, actually test the contents of $_GET before using it. A good example of this would be
parsing the contents through a switch/case. In a situation where you might be uploading (or loading) a file:
CODE
<?php
if(isset($_GET['file'])) {
$Fname=$_GET['file'];
switch ($_GET['file']) {
case "home.html":
$file = "home.html";
break;
case "main.html":
$file = "main.html";
break;
}
fopen($file,"r") {
...
}
}
?>
This is also safe practice when running system commands.
CODE
<?php
if (isSet($_POST['host'])) {
system("ping " . $_POST['host]);
}
?>
If a user was to enter "; rm -rf /", then $_POST would pass exactly that, & your system would execute
www@host$ping; rm -rf /
An example of checking the input for the preceding would be to use the strpos command. It will check for a string within a string.
CODE
<?php
if(isset($_POST['host'])) {
$host=$_POST['host'];
if (strpos($host," rm ")) {
echo "Invalid option";
}
if (strpos($host,"-rf")) {
echo "Invalid option";
}
if (strpos($host,";")) {
echo "Invalid option";
}
}
?>
Security Tip 3: Encrypt your sensitive data.
If you are going to be passing passwords or other sensitive information through your $_GET & $_POST variables, use the md5
encryption to offer another layer of protection.
CODE
<?php
if(isset($_POST['password'])) }
$pass = md5($_POST['password']);
}
?>
The md5() function will convert the text passed into it, into a 32 character long hash. Combine this with a one-way salt, & you have
got yourself a pretty secure password.
Security Tip 4: $PHPSELF can be over written; check the hardened php value
CODE
<?php
if(isset($_SERVER['REQUEST_URI'])) }
$page = $_SERVER['REQUEST_URI'];
if($page != $PHPSELF) {
echo "This is not the beginning page!\n";
}
else ...
}
?>
Security Tip 5: Use the SSL
Because $_POST values are not stored in the history as they are with $_GET, it is more secure. However, this should not allow you to
sleep well at night. $_POST over SSL is much more secure because the content is encrypted at the Server end to Browser end. Any
traffic intercepted along the middle, will be encrypted garbage, & useless without the SSL keys. If SSL is available to you, use it!
Overview:
Since the Get method posts values in the url, it should never be used when sending passwords or other sensitive information.
On the other hand, because the variables are displayed in the URL, it is possible to bookmark the page. With Post however, the variables
are not displayed in the URL, making it impossible possible to bookmark the page. Unlike Get, with Post your variables have no length limit.
This post has been edited by no2pencil: 11 Nov, 2007 - 02:41 PM
Get & Post Methods: How to & why.
23 Oct, 2007 - 08:54 AM
| 