Home/ Questions/Q 331987
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T09:49:31+00:00

I am trying to read get parameters in such a way that will not

  • 0

I am trying to read get parameters in such a way that will not open up potential security issues.

What I was thinking was matching the request parameter explicitly to what I expect and then setting a default for anything that doesn’t match.

For example:

if ($_REQUEST['media'] == "video")
    $sort = "video";
elseif ($_REQUEST['media'] == "audio")
    $sort = "audio";
else
    $sort = "both";

Is this enough or are further steps necessary?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What you mention is safe, but is overly verbose. Using an PHP’s array operations would let PHP handle the dirty work for you:

    $sort_valid = array('video', 'audio', 'both');
$sort = 'both'
if (isset($_REQUEST['media']) && in_array($_REQUEST['media'], $sort_valid)) {
    $sort = $_REQUEST['media'];
}

    If this sort of superglobal parsing is common throughout your code, you could abstract this into a function that handles it for you (as many large PHP projects do).

    As Gavin noted, it’s also a good idea to use the specific superglobal that you’re interested in (i.e. $_GET, $_POST, or $_COOKIE) if at all possible. It might not seem important now, but some ugly bugs can manefest from naming conflicts will occur between the three superglobals (e.g. sort in $_COOKIE may refer to the default sorting of search results, but sort in $_GET refers to ascending or descending order).

    • 0