How to secure get request in php
What's the best way to secure a GET request or are there any, safer alternatives? Show
I'm using a couple of GET requests in my website to generate webpages dynamically and to delete records based on ID. The last one worries me a bit, because people could just change the URL to whatever file they want to delete. To have access to the delete-file they do need to login and have certain permissions, which will throw an error if they don't have sufficient permissions. I came across a really old SO post, stating that you should use the I also read about validation being really important, so I was thinking about checking whether the ID is an actual integer or not. There's another post stating that hiding the request in the URL is basically useless, since the request will always be a part of the URL. This is my delete-file, it uses two statements, one deletes the actual post, and the other one deletes the associated images with that post.
In this article, we will cover two request methods: the GET and the POST methods, for sending and receiving data from an HTML form using PHP. Also, we will examine the most common problems involving information security, such as Cross-Site Scripting (XSS) and SQL Injection, and how to solve them with adequate sanitization. Let's start with the theory: what are GET and POST requests, and how do they differ? – if you want to, you can skip to the next section, where we will start with the practice. Understanding the GET and POST methodsThe Hypertext Transfer Protocol (HTTP) was developed as a protocol to serve the transmission of documents, and works as an intermediary between internet browsers and web servers. You are used to reading it in the addresses of web pages – as well as its “brother”, the HTTPS, a more secure encrypted version (hence the “S” at the end, meaning “Secure”). In other words, HTTP is a protocol that serves as a “bridge”: it collects a request from the internet browser; sends it to the server; waits for an answer; and, finally, it returns the new information to the browser. Generally, these requests keep some metadata in their “header”, that contains messages used to perform certain behavior on the client or on the server. In addition, HTTP requests can assume different models. The most used HTTP request types are GET and POST, but there are other types in their technical specification, such as
The GET requestThe GET request method is used when you want to obtain data from a specific source or resource. It should only be used to retrieval data, because its query string are sent and displayed at URL,
for example: When we insert this URL into the browser, we are asking the YouTube server for a specific resource: to retrieve the data from the video Note that in our example, the second parameter of
the GET request, the GET requests are generally limited in length — for most browsers, it is up to 8 KB, or 8192 bytes in URI — and, because they only serve to request data, they are not able to modify it. In addition, they can be stored in cache, in the browser's history and also in the bookmarks. That's why you should never use it to send sensitive data, such as Social Security Numbers and user passwords.
The POST requestThe POST request method is used to send data to the server, to update or create a new resource. Unlike the GET method, the POST method does not expose the information at the URL address. In this case, the data is transmitted in the HTTP request body, as follows:
In this example, we are informing the
Let's assume the YouTube server recognized our request, and this address is valid. In our example, the informed video, which we received previously, will be added to the Note that this is a
one-time request, which is unlikely to be repeated. As a rule, the POST method, unlike GET, is not stored in cache or in the client's browser history, nor can it be saved in bookmarks. POST requests have no restrictions on the size of messages, which allows us to send complete articles, such as this one, through an electronic HTML form, for example. Also, the POST method supports a wide variety of
Creating forms with HTML and PHPNow that we understand how the GET and POST methods work in the theory, let's go to the practices: let's create an HTML form, and have it to send and to receive information using PHP.
Inserting the form on the pageThe first step to create our web page is to inform the structure of the
In this fragment, we are using the GET method, defined in Inserting the fields to the formThe next step is to insert the fields, or
We inserted 3 fields, defined by the HTML tag We also add labels to the text fields, using the
Finally, the The final result, displayed in the client's browser, should look like this: Reading data with PHPAfter completing our HTML form, we can move on to the next step. Let's define the elements of the target page using PHP. The source code below, inserted in the file
Notice that we use the superglobal PHP has some native superglobals variables, such as
Then, we
separate the strings and the variables in PHP with the 📝 Learn by doingDid you notice that the URL address on Test #1: Rewrite the source code of the form we coded, using another requisition method, so that the information stays safe from reading by eavesdroppers and unauthorized people. After you finish, you can check the final answer. Increasing HTML form securityOur HTML form is finally done! However, we can increase the security of our page, protecting the reading of the information on PHP. This is our last step. We will add an extra layer of security, although basic, to prevent PHP from executing commands at the moment it receives and displays the values reported by the client.
The technique that filters and transforms the values entered by the user into simpler strings is called sanitization. By default, PHP has a collection of native functions that helps us on this step, such as the following:
When we use adequate sanitization, as soon as the server receives an improper
information — for example,
Let's edit the source code of our page, by adding one of these sanitizing functions. Our final code should look like this:
The final result, displayed in the browser, should look like the figure below: 📝 Learn by doingHave you ever noticed that the majority of sites and search engines use the Test #2: Create a search form, using HTML and PHP, that contains at least 1 text field and 1 button to send the
data, so that the address URL on the target page displays the ConclusionSo, we're done! We made our electronic form in HTML that is capable of transmitting data via HTTP request methods, in this case, GET or POST — and we also understand how they work —, and send them to the target page written in PHP. Then, it receives, handles the data, and displays the information on the user's screen. Also, we sanitized the values informed by the user in order to avoid serious problems of information security. Next steps 🚶Internet security it is never too much, so there is always something more to learn and apply. In order to build safer applications, be sure to follow the next article on this series, and read the Security topic in the PHP Manual. If you have any questions or suggestions on how to build more secure applications using PHP, share it in the comments. 📣 References[1] “HTTP Request Methods”, from w3schools: https://www.w3schools.com/tags/ref_httpmethods.asp. [2] “HTTP”, from MDN Web Docs (Mozilla Developer Network): https://developer.mozilla.org/en-US/docs/Web/HTTP. [3] “GET”, from MDN Web Docs (Mozilla Developer Network): https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET. [4] “POST”, from MDN Web Docs (Mozilla Developer Network): https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST. [5] “htmlspecialchars”, from PHP Manual: https://www.php.net/htmlspecialchars. [6] “htmlentities”, from PHP Manual: https://www.php.net/htmlentities. [7] “strip_tags”, from PHP Manual: https://www.php.net/strip_tags. [8] “Superglobals”, from PHP Manual: https://www.php.net/manual/en/language.variables.superglobals.php. What is get safe value in PHP?It contains data that could be manipulated, but as long as that data is not used stupidly, that is not a security risk.
How do I protect a post request?To secure a password or other confidential data you must use SSL or encrypt the data before you POST. Another option would be to use Digest Authentication with the browser (see RFC 2617). Remember that (home grown) encryption is not enough to prevent replay attacks, you must concatenate a nonce and other data (eg.
Which method is secure for securing data in PHP?Use SSL Certificates For HTTPS
HTTPs provides a secured and encrypted accessing channel for untrusted sites. You must include HTTPS by installing SSL certificate into your website. It also strengthens your web applications against XSS attacks and prevents the hackers to read transported data using codes.
|