Secure POST/GET variable even script is not connected to mysql?


if the PHP script is connected to mysql, i would use:

$variable = mysql_real_escape_string($_GET[“email”]);

and if its plain script, without relation to any mysql, how i would secure that variable that comes from submitted URL:

thank you

Do you have to get $_GET? Why not $_POST?

That, in my mind, would depend a lot on what “secure” means to you. If you just need to replicate the function mysql_real_escape_string() - why not just… continue to use it? It doesn’t require a connection to use it. If you want to validate input, or ensure that it’s not malicious, there are tons of resources out there. You can build your own validation function and check for character case, regex to remove particular characters, you can check for particular strings, numbers, characters, et cetera.


secure it to do what with it? I can send “rm -rf /” as my email, but unless you call exec($variable) on it, it does nothing but be a string.

secure it to do what with it

I think that’s the big question here

that’s not correct:
(from the Manual)


The string that is to be escaped.

The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

A warning level error doesn’t make it unusable. AFAIK, that parameter is optional - I’ve seen it used without issue sans MySQL connection. Whether it should be used, though…

To be honest, this is a bit of a moot point, as you should really find a solution that doesn’t involve mysql_real_escape_string() at all, regardless. If you’re using MySQL, use something like PDO to fulfill this need, and if you’re using PHP alone, then… we still need to know what you’re securing / why / what you’re securing against to give better advice.

I tried it out of curiousity. it didn’t work. just as described.

Interesting. I might go take a look when I can - could be that the example I was thinking of had some other extenuating circumstance, or something I’ve forgotten. But, regardless (this is a side issue) I’d still argue that we need some clear information to give good advice!

Edit: For curiosity’s sake, I tried it too, threw up a test file without any MySQL connections at all. I get the deprecation warning, but it otherwise works as expected. Odd.

The same way you secure ALL variables regardless of how you send them - by VALIDATING their content to make sure that what is entered makes sense for that field. If it isn’t user input you might SANITIZE the field instead.

The code you posted is NOT providing any security on the value from the $_GET - someone could still fill your database with huge quantities of meaningless junk.

Escaping is an output function that has nothing whatever to do with security and exists in order to mark data that might be misinterpreted as code - something that can’t happen in SQL if you keep them separate by using prepare/bind