In this beginner PHP tutorial, we will show you how to retrieve query string parameters from a URL. We will also tell you about some of the most common pitfalls.
Take the following URL as an example, which contains two GET parameters:
page.php?id=23&page=34
In the URL above, we have two GET parameters. id, which contains the value 23, and page, which contains the value 34.
Let’s say that we want to retrieve those values so that we can use them in our PHP script.
If we want to retrieve the values of those two parameters, we can access the $_GET superglobal array like so:
//Get our two GET parameters. $id = $_GET['id']; $page = $_GET['page'];
Although the PHP code will work, it wrongly assumes that the GET parameters in question will always exist.
As a result, there is a possibility that our script will throw an ugly undefined index notice if a user removes one of the parameters from the URL.
This will result in PHP spitting out the following message:
Notice: Undefined index: id in /path/to/file.php on line 4
To guard against this kind of issue, you will need to check to see if the GET variable exists before you attempt to use it:
$id = false;
if(isset($_GET['id'])){
$id = $_GET['id'];
}
$page = false;
if(isset($_GET['page'])){
$page = $_GET['page'];
}
In the example above, we use PHP’s isset function to check whether or not the parameter in question actually exists.
If it does exist, we assign it to one of our variables. If it doesn’t, then our variables will retain their default FALSE values.
Never trust GET parameters. Always validate them.
GET parameters should always be treated with extreme caution.
- You cannot assume that they will always exist.
- If they do exist, you can’t discount the possibility that the user has tampered with them.
In other words, if you expect id to be an integer value and a user decides to manually change that to “blahblahblah”, your PHP script should be able to handle that scenario.
URL parameters are external variables, and external variables can never ever be trusted.
Never directly print GET parameters onto the page.
Printing out GET parameters without sanitizing them is a recipe for disaster, as it will leave your web application wide open to XSS attacks.
Take the following example:
$page = false;
if(isset($_GET['page'])){
$page = $_GET['page'];
}
if($page !== false){
echo '<h1>Page: ' . $page . '</h1>';
}
Here, we’ve done everything right except the final step:
- We check to see if the GET parameter exists before we access its value.
- We do not print the page number out if it doesn’t exist.
However, we did not sanitize the variable before we printed it out. This means that an attacker could easily replace our GET variable with HTML or JavaScript and have it executed when the page is loaded.
They could then redirect other users to this “tainted” link.
To protect ourselves against XSS, we can use the PHP function htmlentities:
//Guarding against XSS
if($page !== false){
echo '<h1>Page: ' . htmlentities($page) . '</h1>';
}
The htmlentities function will guard against XSS by converting all special characters into their relevant HTML entities. For example, <script> will become <script>