Security Announcement
Your security is the priority. Never trust the user input!
User input can’t be trusted
When working with web applications, always be careful with the data that a user provides. Here is a list of some issues that need to be addressed:
Inputting High Numbers:
For example, let’s see what happens if you change the query string to ?number=123
.
You should see a lot of kittens now.
What about changing it to 1000000?
That may cause some performance issues in the user’s browser.
Not bad for us per se, but what if this number means that we’re going to do something on the server that takes time and server resources?
Providing a very high number is going to hit our server hard, maybe costing us extra money, or degrading performance for other users.
Irrelevant Input:
What if the query string is ?number=abc
?
Should the server be able to deal with that too? At the very least, it should ensure that the provided input is an integer (-1, 0, 1, 2, etc.).
It should also ensure that the number is at least 1 because showing -1 kittens doesn’t make sense (so 1, 2, etc.).
...
Type Mismatch:
Then, there’s a potential problem with the type of our variables.
Values in $_GET
...