Practices for getting information from $_GET/$_POST and saving it to a database?

Question

What are today\'s best practises when it comes to getting information from a get/post and saving information to a database? Is data still escaped like it used to or are there ad

Answer 1

Never Save data from GET to db.

Never ever save data from GET, even if you are doing sufficient validation and escaping. GET is not supposed to change information on server.

Before changing anything on server (DB or Server File) check if request is POST or PUT or DELETE as applicable

POST is supposed to change state of the server. Hence before updating your tables or changing any file on server check if request method is post.

Validate inputs before processing

If you are expecting an integer validate that input is indeed an integer.

Escape inputs before using in db queries or adding to output

For query purposes escape the inputs and in case you are using input to be directly printed to the output then strip the slashes and sanitize it.

Use perishable tokens for POST when you have privilege of user sessions

Use access tokens in case you have user logged in and update the token every access or 5mins or so.

Use access tokens when you don't have user session

As Ankur suggested use access tokens when you don't have login session. But this is not reliable.