Is it unsecure to use $_GET to update/delete the data from MySQL table?? I

Question

0

Editorial Team

Asked: May 22, 20262026-05-22T20:10:14+00:00 2026-05-22T20:10:14+00:00

Is it unsecure to use $_GET to update/delete the data from MySQL table?? I

0

Is it unsecure to use $_GET to update/delete the data from MySQL table??

I can’t use $_POST since it required to use <form> tag

For example:

  <a href="status.php?approve='123'>Unapprove</a>
 <?php   
    if (isLoggedIn() && groupId() == 2) {
     if (isset($_GET['id']) && is_numeric($_GET['id']) {
      $query = $db->prepare("UPDATE table set unapprove='1' where id = :id");
      $query->bindParam(':id', $_GET['id'], PDO::PARAM_STR);
      $query->execute();
     }
    }
?>

Please provide example how would you secure from my example or better way.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-22T20:10:15+00:00

While not subject to SQL injections, what you’re doing is not secure because subject to cross-site request forgery.

Consider the effect of being logged in into your site, and visiting another that has this image:

<img src="yoursite.com/admin/status.php?approve=123" />

Ideally, always use POST for non-idempotent requests.

And at any rate, you need to add a secret token which is both session- and link-specific:

href="status.php?approve=123&amp;token=[random_stuff]"

As an aside, the '123' in the link should probably be 123.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Is it unsecure to use $_GET to update/delete the data from MySQL table?? I

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply