PHP: How to retrieve URL parameters.

In this beginners PHP tutorial, I will show you how to retrieve query string parameters from a URL. I will also tell you how to avoid some of the most common pitfalls.

Take the following URL as an example, which contains two GET parameters:

page.php?id=23&page=34

In the URL above, we have two GET parameters. id, which contains the value 23 and page, which contains the value 34.

Now, let’s say that we want to retrieve those values so that we can use them in our PHP script.

If we want to retrieve the values of those two parameters, we can simply access the $_GET superglobal array like so:

//Get our two GET parameters.
$id = $_GET['id'];
$page = $_GET['page'];

Although the PHP code will work, it does make the assumption that the GET parameters in question will always exist. As a result, there is always the possibility that our script will throw an ugly undefined index notice if a user manually or mistakenly removes one of our parameters from the URL.

This will result in PHP spitting out an ugly error message:

Notice: Undefined index: id in /path/to/file.php on line 4

To guard against this, you will need to check to see if the GET variable exists before you attempt to retrieve it:

$id = false;
if(isset($_GET['id'])){
    $id = $_GET['id'];
}

$page = false;
if(isset($_GET['page'])){
    $page = $_GET['page'];
}

In the example above, we use PHP’s isset function to check whether or not the parameter in question actually exists. If it does, we assign it to one of our variables. If it doesn’t, then our variables retain their default FALSE values.

Never trust GET parameters as they are. Always validate them.

GET parameters should be always treated with extreme caution.

  1. You cannot assume that they will always exist.
  2. If they do exist, you can never discount the possibility that the user has tampered with the URL in question.

i.e. If you expect id to be an integer value and a user decides to manually change that to “blahblahblah”, your PHP script must be able to handle that scenario. URL parameters are external variables and external variables can never ever be trusted.

Never directly output GET parameters onto the page.

Printing out GET parameters without sanitizing them is recipe for disaster, as it will leave your web application wide open to XSS attacks.

Take the following example:

$page = false;
if(isset($_GET['page'])){
    $page = $_GET['page'];
}

if($page !== false){
   echo '<h1>Page: ' . $page . '</h1>'; 
}

Here, I’ve done everything right except the final step:

  1. I checked to see if the GET parameter was set before I attempted to access its value.
  2. I made sure that I didn’t print out the page number if it didn’t exist.

However, I did not sanitize the variable before I printed it out. This means that an attacker could simply replace my GET variable with some HTML or JavaScript and have it execute when the page is loaded. They could then redirect other users to this “tainted” link.

To guard against this, we can simply use the PHP function htmlentities:

//Guarding against XSS
if($page !== false){
   echo '<h1>Page: ' . htmlentities($page) . '</h1>'; 
}

The htmlentities function will guard against XSS by converting all special characters into their relevant HTML entities. For example: Something like <script> will become &lt;script&gt;

Hopefully, you found this guide useful.