My profile.php displays all the user's postings,comments,pictures. If the user wants to delete, it sends the posting's id to the remove.php so it's like remove.php?action=removeposting&posting_id=2. If they want to remove a picture, it's remove.php?action=removepicture&picture_id=1.
Using the get data, I do a query to the database to display the info they want to delete and if they want to delete it, they click "yes". So the data is deleted via $POST NOT $GET to prevent cross-site request forgery.
My question is how do I make sure the GETs are not some javascript code, sql injection that will mess me up.
here is my remove.php
    //how do I make $action safe? 
    //should I use mysqli_real_escape_string?
    //use strip_tags()?
    $action=trim($_GET['action']);
    if (($action != 'removeposting') && ($action != 'removefriend') 
    && ($action != 'removecomment'))
    {
            header("Location: index.ph开发者_运维问答p");
            exit();
    }
if ($action == 'removeposting')
{
   //get the info and display it in a form. if user clicks "yes", deletes
}
if ($action =='removepicture')
{
   //remove pic
}
I know I can't be 100% safe, but what are some common defenses I can use.
EDIT
Do this to prevent xss
$oldaction=trim($_GET['action']);
$action=strip_tags($oldaction);
Then when I am 'recalling' the data back via POST, I would use 
$posting_id = mysqli_real_escape_string($dbc, trim($_POST['posting_id']));
        if ($action == 'removeposting')
{
    //get the posting id from the user  
    $getposting_id = htmlspecialchars(trim($_GET['posting_id']));
    //basic checks for the posting id
    if (empty($getposting_id)){
        //header ("Location: index.php");
        echo '<p>Sorry, no posting was specified for removal.</p>';
        exit();
    }
    if (!is_numeric($getposting_id))
    {   
        echo "Not an integer";
        exit();
    }
        //Also have check to see if the posting_id is the user's. If so, can delete
Because you aren't storing $action and only using it in your conditional, it's not necessary to do all the trimming/stripping/escaping. The simple string comparisons is enough in terms of "safety," though I recommend using === instead of ==.
Alternatively, if you were storing a $_GET or $_POST value into an integer column of a MySQL database, for example, you could simply pass the value into intval() before storing it in the database. If you need to store plain text, just pass it through mysql_real_escape_string() before storing it. You can also use preg_match() or preg_replace() to make sure you are only storing valid values (different patterns for different uses, e.g. /^\d{5}(?:-?\d{4})?$/ for zip codes).
To prevent against any SQL injection you should use mysqli_real_escape_string OR you can use Prepared Statements that accomplish the same thing.
To prevent any javascript, you could use strip_tags in concert with htmlspecialchars.
I know I can't be 100% safe
ahahahaha :)
if your question regarding only action, and it is used only to determine the code to run, it IS safe by any means.
But some info for you:
POST doesn't prevent cross-site request forgery. unique token does.
You didn't post actual action code, so just to be sure - I hope you check user's id whan perform these actions
Use the mysqli_real_escape_string as noted elsewhere. Also, of course this does nothing to prevent XSRF. You'll need tokens containing some entropy for that.
See also: http://www.owasp.org/index.php/Main_Page
$_GET is completely safe until you try to glue (concatenate) it to the other things in your program like:
- SQL to be executed (in which case you should use mysqli_real_escape_string() or another escaping technique that is advised with the database that you are using)
- HTML to be outputted (in which case you should pass it through htmlspecialchars() before concatenation or printing/echoing)
- URL to be navigated to by the user (in which case you most likely should pass it through urlencode())
- JavaScript to be executed by the browser (in which case you should pass it through json_encode())
If you want to have an url in javascript embedded in html that you want to be inserted in database then you should pass value that you receive from $_GET (also $_POST, $_COOKIE and other similar outside sources) through all those functions in order appropriate to this scenario, namely
mysql_real_escape_string(htmlspecialchars(json_encode(urlencode($_GET['val']))));
If the only thing you do is compare your $_GET['action'] to some strings then you are perfectly safe without doing any escaping at all.
 
         
                                         
                                         
                                         
                                        ![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif) 
                                         
                                         
                                         
                                         加载中,请稍侯......
 加载中,请稍侯......
      
精彩评论