Hello, been a member for a while, first topic though... Alright i run this car forum/site thingy and for the past few months every week in the forum we would do this 'Featured Car' thing. Well after awhile we amassed quite a list. Well long story short i turned the forum site into an actual website. Now i combined all the forum posts about the cars and made nice articles about them and all that and created a MYSQL database for them. I then made a page that would pull from said database and populate depending on the variable being passed in the url - something like, uh- /cars.php?carid=3 Is there anything i have to worry about here? Could someone change the variable to something malicious? Now a days i hear a lot about XSS attacks and just various other malicious inputs, but I'm kind of hazy about it. So should i do a call to make sure the variable in the url is actually a correct value? I also made a search box. Could they type a malicious script in there? I know i sound paranoid but this is the first 'big' PHP thing i've done, meaning a lot of people will be hitting this PHP site and number one rule is - Never trust anybody, ha. So thank you. - In short... passing variables through the URL, security risk?
In this case you need to check $_GET['carid']. It must be number. For example: (isset($_GET['carid'])) ? $carid = intval($_GET['carid'])) : $carid = 0;