1. URL parameters
PHP scripts are run with inputs from the user. These
inputs can be send to the scripts in 3 ways. One of them are the
url parameters, also called GET variables. These are
in the url and written after the path, seperated with a ?.
Examples are http://www.example.com/file.php?section=news
and http://www.example.com/dl.php?cat=5&id=3&view=false.
An anchor (like #top in http://www.example.com/file.php#top)
is not part of the GET variables and isn't send to the webserver at all.
2. Access the GET variables
All GET variables from the url are saved in the php array $_GET. This
array is predefined and even exists if there aren't any GET variables.
Additional this is a superglobal array which means it
exists in all scopes and don't need to pass
as parameters to functions. The name of a GET variable is the
index/key of the array entry from $_GET. From
the url http://www.example.com/file.php?section=news&site=show
php creates the array entries 'section' => 'news' and
'site' => 'show'.
<?php
// opened with file.php?section=news
echo $_GET['section']; // outputs 'news'
?>
All values of GET variables are strings or arrays, even if they contain only
digits. From ?var=false&ID=4 php creates the array entry
with the string index var with the string value false
(not bool(false)) and an array entry with the string index ID
with the string 4 (not int(4)).
<?php
// if opend with file.php?var=false&ID=4
var_dump($_GET['var']); // outputs string(5) "false"
var_dump($_GET['ID']); // outputs string(1) "4"
?>
If the name looks like an assignment to an array entry php evaluates it
as this. From ?foo[4]=bar php creates the
field $_GET['foo'][4] with the string bar.
This is often used for forms, however all values are still arrays or strings.
3. Risks from external source
The $_GET array is only filled with values from the url. This
also means if no value is added in the url no value with added to the
$_GET array. This is something which must be checked inside your
script. If you try to access an array field which doesn't exists you get
an error message.
<?php
echo $_GET['not_defined'];
// Notice: Undefined index: not_defined in FILE on line LINENUMBER
?>
To fix such an error you can of course change the error_reporting
setting, but it is better to check if the index exists before reading from it.
This can be done with the isset language construct.
<?php
if (isset($_GET['xyz'])) {
echo "The GET variable 'xyz' exists and got the value '".$_GET['xyz']."'.";
} else {
echo "There is no GET variable called 'xyz'.";
}
?>
Additional all variables are filled by the user, independent if the
user clicked on a link or not. This means the content is not generated
by the php script. This is a point of attack. For this reason you
should never outputs a GET variable directly or treat them as
right or valid. Whatever the user tries you
should check the inputs first. If you expect a number
like in ?show=news&newsid=5 you should always
check the value first if it is really a number. For any
inputs which get shown later should always be checked agains
javascript code. This can be done with functions like
htmlspecialchars.
