We covered all these POST and GET requests topics in college but those three are still in my mind. I was wondering since I’m not quite sure why I shouldn’t be using GET request for those three examples. I’m just hoping that someone is better at this for explaining a bit more for all these options.
1.
sql = 'SELECT * FROM contacts WHERE id ?' .$_GET['id'];
Is it because if there isn’t id then I wouldn’t be able to get it and PHP shows me an error message.
2.
eval($_GET['user_provided_code'];
Is it because a person who enters his/her code can basically insert whatever he/she wants and can take over my computer or delete something.
3.
function toFarenheit($temp){
return ($temp * 9 /5 + 32) * $_GET['const'];
}
Basic thinking as for the second option, that we can’t insert data with GET request and in this case person is able to insert whatever he/she likes.
Advertisement
Answer
Security-wise, there’s not really any difference between GET and POST. Generally, GET is used for idempotent operations (like selecting rows from a database and displaying them) and POST is used when the request creates a change (like updating a row.) The problem in these examples is not that they use GET, it’s that they don’t validate untrusted user input.
There’s nothing inherently wrong with building a SQL query from a value obtained from a GET request. The problem with this particular example (syntax errors aside) is only that it presumes the variable exists and contains a valid value.
eval()is virtually never needed and almost always introduces security issues. In this example, you’re blindly just executing whatever the user gives you, which is a terrible idea.$_GET['const']might not exist. If it does exist, it might not contain a number. There’s no real security issue, worst case is it’ll evaluate to zero and return a bad result.