How to secure get request in php

<form method="GET" id="webform" name="webform" action="target.php">
form>

In this fragment, we are using the GET method, defined in method="GET", to send the information that will be inserted into the form, whose name was defined in name="webform", to the target page (action="target.php").

Inserting the fields to the form

The next step is to insert the fields, or inputs to our form, where users can type the values. Let's update our source file like this:

html>
<html>
<head>
    <meta charset="utf-8">
    <title>Electronic formtitle>
head>
<body>
    <form method="GET" id="webform" name="webform" action="target.php">
        <label for="iduser">User ID:label>
        <input type="text" id="iduser" name="iduser"> <br />

        <label for="idplaylist">Playlist ID:label>
        <input type="text" id="idplaylist" name="idplaylist"> <br />

        <label for="v">Video ID:label>
        <input type="text" id="v" name="v" value="fJ9rUzIMcZQ"> <br />

        <button type="submit">Send databutton>
    form>
body>
html>

We inserted 3 fields, defined by the HTML tag , and also 1 button that sends the form's data, using .

We also add labels to the text fields, using the tags. Notice that each values on the for attributes, on each label element corresponds to an id attribute of one the input fields, like this: refers specifically to the field that contains the corresponding id="idplaylist" attribute, and vice versa.

💡 It is possible to insert predefined values to the fields, adding the data corresponding to the value attribute in each HTML element.

Finally, the name attribute in each field will be used to obtain the values inserted by the user in the corresponding field when we move to PHP.

The final result, displayed in the client's browser, should look like this:

Reading data with PHP

After completing our HTML form, we can move on to the next step. Let's define the elements of the target page using PHP.

The source code below, inserted in the file target.php, will be executed by PHP as soon as the user submits the form data that we created earlier.

    // Prints the values of each field on the page
    echo(
    "The user identified as " . $_GET["iduser"] . " added the video whose ID is " . $_GET["v"] . " to the playlist " . $_GET["idplaylist"] . "."
    );
?>

Notice that we use the superglobal $_GET[] variable to obtain the values inserted by the user, that were transmitted using the HTTP protocol. For each field that we previously created on the form, its corresponding name attribute must be informed within the superglobal variable. For example: the field that shows the attribute name="iduser" can be found in PHP by using $_GET["iduser].

PHP has some native superglobals variables, such as $_GET, $_POST, and $_REQUEST. Remember that we use them according to the HTTP request method that we are using for data transmission, so it must correspond to what been defined in the method attribute of our element.

💡 PHP's $_REQUEST superglobal variable can carry information from both $_GET and $_POST methods, in addition to any cookies transmitted in $_COOKIE. However, its use is not always recommended: the best practice is that developers know the methods used for inputs and outputs traveling on their server, in order to avoid more generic commands.

Then, we separate the strings and the variables in PHP with the . character, so each fragment of text is contained between the " characters, at the beginning and at the end of the sentence. Finally, we print on the user's screen the entire expression within the parentheses with the echo() function.

📝 Learn by doing

Did you notice that the URL address on target.php page shows the values typed in the source page?

Test #1: Rewrite the source code of the form we coded, using another requisition method, so that the information stays safe from reading by eavesdroppers and unauthorized people. After you finish, you can check the final answer.

Increasing HTML form security

Our HTML form is finally done! However, we can increase the security of our page, protecting the reading of the information on PHP.

This is our last step. We will add an extra layer of security, although basic, to prevent PHP from executing commands at the moment it receives and displays the values reported by the client.

💡 The rule in programming is to never blindly trust the values inserted by the user. Unfortunately, many bad agents have exploited technical problems on websites in order to collect sensitive information, or to damage servers by executing unexpected commands. For those reasons, it is very important that you protect, beforehand, the transmitted requests and the server, after all, if the users' interests are legitimate, they will also benefit from the increased security of your application.

The technique that filters and transforms the values entered by the user into simpler strings is called sanitization. By default, PHP has a collection of native functions that helps us on this step, such as the following:

• htmlspecialchars() - Converts special characters, such as &“”<>, to HTML entities;
• htmlentities() - Similar to the previous one, but it converts a larger number of characters to HTML entities;
• strip_tags() - Removes HTML and PHP tags from a string, such as hyperlinks and comments.

When we use adequate sanitization, as soon as the server receives an improper information — for example, — it will be transformed, “sanitized”, and should not display a warning message on the users' screen in this case.

💡 Notice that, in our example, we use a harmless, in theory, script — at most, uncomfortable for the user. However, it is important to reiterate: you must always protect and sanitize information. In other cases, a bad agent could transmit malicious scripts — this technique is known as Cross-Site Scripting, or XSS — or execute harmful commands to the database (usually called SQL Injection).

Let's edit the source code of our page, by adding one of these sanitizing functions. Our final code should look like this:

    // Prints the values of each field on the page
    echo(
    "The user identified as " . htmlspecialchars($_GET["iduser"], ENT_QUOTES, "UTF-8") . " added the video whose ID is " . htmlspecialchars($_GET["v"], ENT_QUOTES, "UTF-8") . " to the playlist " . htmlspecialchars($_GET["idplaylist"], ENT_QUOTES, "UTF-8") . "."
    );
?>

The final result, displayed in the browser, should look like the figure below:

📝 Learn by doing

Have you ever noticed that the majority of sites and search engines use the q parameter to transmit the data inserted by the user in the query requests to the server?

Test #2: Create a search form, using HTML and PHP, that contains at least 1 text field and 1 button to send the data, so that the address URL on the target page displays the q (or “query”) parameter. It should receive the values, sanitized, inserted by the user in the text field. After you finish, you can check the final answer.

Conclusion

So, we're done! We made our electronic form in HTML that is capable of transmitting data via HTTP request methods, in this case, GET or POST — and we also understand how they work —, and send them to the target page written in PHP. Then, it receives, handles the data, and displays the information on the user's screen. Also, we sanitized the values informed by the user in order to avoid serious problems of information security.

Next steps 🚶

Internet security it is never too much, so there is always something more to learn and apply. In order to build safer applications, be sure to follow the next article on this series, and read the Security topic in the PHP Manual.

If you have any questions or suggestions on how to build more secure applications using PHP, share it in the comments. 📣

References

[1] “HTTP Request Methods”, from w3schools: https://www.w3schools.com/tags/ref_httpmethods.asp.

[2] “HTTP”, from MDN Web Docs (Mozilla Developer Network): https://developer.mozilla.org/en-US/docs/Web/HTTP.

[3] “GET”, from MDN Web Docs (Mozilla Developer Network): https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET.

[4] “POST”, from MDN Web Docs (Mozilla Developer Network): https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST.

[5] “htmlspecialchars”, from PHP Manual: https://www.php.net/htmlspecialchars.

[6] “htmlentities”, from PHP Manual: https://www.php.net/htmlentities.

[7] “strip_tags”, from PHP Manual: https://www.php.net/strip_tags.

[8] “Superglobals”, from PHP Manual: https://www.php.net/manual/en/language.variables.superglobals.php.

What is get safe value in PHP?

It contains data that could be manipulated, but as long as that data is not used stupidly, that is not a security risk.

How do I protect a post request?

To secure a password or other confidential data you must use SSL or encrypt the data before you POST. Another option would be to use Digest Authentication with the browser (see RFC 2617). Remember that (home grown) encryption is not enough to prevent replay attacks, you must concatenate a nonce and other data (eg.

Which method is secure for securing data in PHP?

Use SSL Certificates For HTTPS HTTPs provides a secured and encrypted accessing channel for untrusted sites. You must include HTTPS by installing SSL certificate into your website. It also strengthens your web applications against XSS attacks and prevents the hackers to read transported data using codes.