Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
might be a silly question nonetheless:
I’m playing around with the following code:
$a='a';
if ($_GET['a'] == $a)
echo 'true';
else
echo 'false';
Now, is there any way to send data to break the verification? Obviously the way it could’ve been done in an SQL injection won’t go.
Just wondering how secure this way of validation is.
Thanks in advance.
EDIT:
My question was, is there anything that can be passed thorugh $_GET that could ‘break’ the comparison and always output ‘true’.
If you are looking to validate that
$_GET['a']really in face equals to"a"and nothing else, than yes, that’s the code.However, if you’re expecting
"a"and only"a"it probably shouldn’t be a user input.Validation (or sanitation), means to take whatever string they might throw at you, and make sure it’s valid for whatever purpose you want it to. If it’s sent to the database, pass it through
mysql_escape_string()or use prepared statements. If it’s to be displayed as HTML make sure there aren’t any harmful tags by usinghtml_entities()orstrip_tags().Your verification isn’t very good for anything else other than saying the user has inputted
"a". But yes, nothing other than"a"would be able to get through.