GET Query Sanitization

[Fmdpa]

I think that, by far, the most vulnerable part of my site-to-be is the query strings that are passed through the url. What is the best way to sanitize info passed through the GET method? My urls contain no more than 1 query. A sample query would be "http://www.site.com/image.php?image=sample-image". Is there a more efficient way to do this (I do plan to rewrite the url in Apache) than using queries?

[boen_robot]

"Efficient"? As in "running faster"? I think not.You sanitize this data in the same way you sanitize POST or COOKIE data...You verify if the required information is entered, ignore the unknown query names (or crash with an error, though that's rarely a good idea), and then analyze if the value matches the criteria you're expecting from it. Finally, use it if it passes all of the tests.There's no universal procedure that you do and say "Done. No hackers allowed.". It's all dependant on the way the data will be used.

[Fmdpa]

By efficient, I mean more dynamic (less code) and more secure. I am amazed by the "$_GET" query method because of its "dynamicness". I used to have 50 different pages, but now I can use one page, pass an id through the url, and using that id (whether numeric or a string), I can grab all of the content from the database associated with that id. But without sanitization, it is a compromise. Would a mysql_real_escape_string function make it acceptably secure?

[justsomeguy]

It really matters what the data is for. Using mysql_real_escape_string is great if you're dealing with databases, but it doesn't really help a whole lot if you're using that data for include filenames or shell commands.

[Fmdpa]

It's for databases.

[justsomeguy]

Then for string data it's usually fine to use mysql_real_escape_string. For numeric data, might as well use floatval or intval to convert it first. It's typically not a great idea to put table or field names in variables unless you check those against a list of allowed names.