PHP Security...

Hello, been a member for a while, first topic though...

Alright i run this car forum/site thingy and for the past few months every week in the forum we would do this 'Featured Car' thing. Well after awhile we amassed quite a list. Well long story short i turned the forum site into an actual website.

Now i combined all the forum posts about the cars and made nice articles about them and all that and created a MYSQL database for them. I then made a page that would pull from said database and populate depending on the variable being passed in the url - something like, uh-

/cars.php?carid=3

Is there anything i have to worry about here? Could someone change the variable to something malicious? Now a days i hear a lot about XSS attacks and just various other malicious inputs, but I'm kind of hazy about it.

So should i do a call to make sure the variable in the url is actually a correct value?

I also made a search box. Could they type a malicious script in there?

I know i sound paranoid but this is the first 'big' PHP thing i've done, meaning a lot of people will be hitting this PHP site and number one rule is - Never trust anybody, ha.

So thank you. - In short... passing variables through the URL, security risk?

 

In this case you need to check $_GET['carid']. It must be number.

For example:

(isset($_GET['carid'])) ? $carid = intval($_GET['carid'])) : $carid = 0;