How to secure query strings in php ?

StackOverflow https://stackoverflow.com/questions/16202574

Question

the urlencode and urldecode functions are there, but if you have an encoded value that can be easily decoded using the urldecode function.

Is there any other method which can be used to make the query string stronger and less prone to attacks. using hashing would be fine but if can try not to use too much compute.

Was it helpful?

Solution

It sounds like you're talking about URL strings rather than query strings. The best way to secure variables which you don't want the user to see is to use POST actions instead of GET actions.

The purpose of urlencode is not to provide security, it's to encode strings which may contain special characters etc. to pass in a GET request.

POST does not store the variables as a part of the URL or in the browser history, so it's much better for sending sensitive information. If you want to actually secure the information against user manipulation, you'll have to hash or encrypt it (for example, passwords should be hashed before posting).

POST vs GET comparison

OTHER TIPS

Keep in mind that even using POST, you're not really hiding anything from someone who wants to get at that data. Be very careful of what kind of data you allow to be sent in GET and POST. Know that no matter which you choose, it can still be manipulated by the end user.

Guessing this is what you're wanting to look at. This will show you how to "clean" input from users, whether it's from the query-string or not.

I'm not sure how POST'ing the variables is any safer at all... Chrome Dev Tools will get around that no problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top