I am seeking the strongest security measure for people changing the IDs in the URL for comments, blogs, inbox etc...
Any suggestions?
Validating the data you get is a great idea, if you're expecting digit, make sure you get digits.
if(isset($_GET['id']) && ctype_digit($_GET['id']))
{
$id = $_GET['id'];
}else
{
$id = 0;
}
If your concern is people changing urls to see things, like requesting image 44 when you only wanted to show them image 42 you've got a few options:
Check the session permissions to see if they are allowed to perform the action?
If they're allowed to do it, then carry out the action. If not, then give them a 403.
I'd imagine that digitally signing the get requests and appending that to the URL would work.
Sign it with a private key known only to your application, and then hash the GET variables and provide a signature in a &sig=blahblahblah.
That would probably work, but I don't really understand the need for protecting the GET variables. If designed properly, it really shouldn't matter what the GET variables are. A properly designed app shouldn't allow user GET variables to do anything damaging.
If it's just an ID (numeric, I guess), all you have to do is validate it as an integer:
$id = (int) $_GET['id'];
Then you can query your database. You will get empty return sets when the ID does not exist and when it is invalid (because $id will be 0 in that case).
maybe you find phpsec.org guide to php security, chapter 2, form processing interesting.
First of all, do not rely on $_GET for critical information. Always double-check whether the user has permission to view that comment id, blog id, whatever. As for ID filtering - simple intval() will help (but don't forget to handle 0's also)