phpBB3 - using $_GET

Question

I want to do a modification to my phpBB3 and it requires using $_GET method by grabbing a variable in the URL.

But just using $_GET increases the vulnerability to my phpBB3 wouldn't it? Is there a function in phpBB3 that would make it safer or anything?

Thanks.

Answer 1

In phpBB3 the best and the safest way to get data from requests is to use request_var() function. http://wiki.phpbb.com/display/DEV/Function.request+var

Answer 2

I'm not sure what sort of functions phpbb3 may have available, but just the fact that you're using $_GET won't necessarily increase the vulnerability of the software.

It's what you plan on doing with the $_GET that is more important. And you'll also need to take into consideration that when there is an update to the phpbb3 software, you'll need to re-make your adjustment each time.

Answer 3

phpBB3 mostly just checks for $_GET contents. If you need integer, you can use intval($_GET['variablename']) or htmlspecialchars($_GET['variablename'] for string.

Answer 4

There's nothing wrong with using $_GET, but you should also be cleaning the data, using standard php functions such as htmlgetchars() and strip_tags(), and possibly custom regular expression strings to ensure that the input has the right type of data (e.g., if you're only expecting letters, there should be no numbers, and if only numbers, no letters or punctuation).