My hosting company says that code to echo a string is no longer safe. register_globals being enabled will fix this; however enabling this is strongly discouraged for security reasons. This is what I have been using: website.com?keyword=1234 <?php echo $keyword; ?> with the results of being "1234". What is the modern secure way to echo?
You never want to trust user input. In this case I can manipulate the page output and make your website show any content I would like it to show basically website.com?keyword=<script>alert('hola')</script> Of course there are lots of ways to do this as you can see here https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet What you will need to do is escape the data with something like htmlspecialchars, striptags, etc. There is no way to be 100% secure when doing this though, you can read about it here http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php
Well. Maybe not 100%, but close enough. The stackoverflow link is quite informative. Regardless, outputting unfiltered user input is always a bad idea.
I think it's not the echo itself, but the fact that the echo outputs a direct $_GET variable by using the keyword (which isn't even available if they set up the server properly).
There are 2 types of data you can do, GET and POST. GET comes from the url params (or form element with GET method) while POST from the form elements with POST method. If you have: website.com?keyword=1234 Code (markup): This would work: echo $_GET['keyword']; Code (markup): If you have: <input type="text"value="1234" name="keyword" id="keyword" /> Code (markup): This would work: echo $_POST['keyword']; Code (markup):
Yes. And if you have set up globals, you can just do echo $keyword; Code (markup): As the OP states that he does. Which is abysmally bad.
You should disable register_globals. Read this: http://php.net/manual/en/security.globals.php and you will get the idea.
Or if you're lazy you can use $_REQUEST which checks for both GET and POST. Useful for debugging forms