Quakenet/#php Tutorial

Note: If you opened this page from an external URL pay attention that all chapters are linked together. Be sure you also read all prior chapters of this tutorial, otherwise you will miss relevant content explained before.

GET

  1. URL parameters
  2. Access the GET variables
  3. Risks from external source

1. URL parameters

PHP scripts are run with inputs from the user. These inputs can be send to the scripts in 3 ways. One of them are the url parameters, also called GET variables. These are in the url and written after the path, seperated with a ?. Examples are http://www.example.com/file.php?section=news and http://www.example.com/dl.php?cat=5&id=3&view=false. An anchor (like #top in http://www.example.com/file.php#top) is not part of the GET variables and isn't send to the webserver at all.

2. Access the GET variables

All GET variables from the url are saved in the php array $_GET. This array is predefined and even exists if there aren't any GET variables. Additional this is a superglobal array which means it exists in all scopes and don't need to pass as parameters to functions. The name of a GET variable is the index/key of the array entry from $_GET. From the url http://www.example.com/file.php?section=news&site=show php creates the array entries 'section' => 'news' and 'site' => 'show'.

<?php
// opened with file.php?section=news
echo $_GET['section']; // outputs 'news'
?>

All values of GET variables are strings or arrays, even if they contain only digits. From ?var=false&ID=4 php creates the array entry with the string index var with the string value false (not bool(false)) and an array entry with the string index ID with the string 4 (not int(4)).

<?php
// if opend with file.php?var=false&ID=4
var_dump($_GET['var']); // outputs string(5) "false"
var_dump($_GET['ID']);  // outputs string(1) "4"
?>

If the name looks like an assignment to an array entry php evaluates it as this. From ?foo[4]=bar php creates the field $_GET['foo'][4] with the string bar. This is often used for forms, however all values are still arrays or strings.

3. Risks from external source

The $_GET array is only filled with values from the url. This also means if no value is added in the url no value with added to the $_GET array. This is something which must be checked inside your script. If you try to access an array field which doesn't exists you get an error message.

<?php
echo $_GET['not_defined'];
// Notice: Undefined index:  not_defined in FILE on line LINENUMBER
?>

To fix such an error you can of course change the error_reporting setting, but it is better to check if the index exists before reading from it. This can be done with the isset language construct.

<?php
if (isset($_GET['xyz'])) {
    echo 
"The GET variable 'xyz' exists and got the value '".$_GET['xyz']."'.";
} else {
    echo 
"There is no GET variable called 'xyz'.";
}
?>

Additional all variables are filled by the user, independent if the user clicked on a link or not. This means the content is not generated by the php script. This is a point of attack. For this reason you should never outputs a GET variable directly or treat them as right or valid. Whatever the user tries you should check the inputs first. If you expect a number like in ?show=news&newsid=5 you should always check the value first if it is really a number. For any inputs which get shown later should always be checked agains javascript code. This can be done with functions like htmlspecialchars.

Questions about the chapter

No questions

Back to Next to
Copyright © to the OPs of #php/QuakeNet Valid XHTML 1.0 Strict Valid CSS!