Article:
  PHP Security, Part 1
Subject:   Just some Comments on this column
Date:   2004-12-31 23:47:25
From:   phpORcaffine
I have to say, I am not a fan of $_GET however, it does have a place. In the above example, POSTING (method="POST") would be more secure than the GET method. Anytime you put data in a Global NameSpace area(address bar) you are asking for trouble.


If a get method cannot be avoided I recommend using a hash/encrypt function on the data before it is placed into the address bar. Also use "key characters" in front of the string so that you can detect the characters once you GET the data, if the "key characters" do not exist on the string, then NULL the value of the string because the strings data obviously didn't come from your script and is probably an attack attempt.


Another secure method would be to store all of the valuse in a "transfer" database. Just set up a database with tables that apply to your site and use it to transfer the variable data, so the user never sees it.