Not very familiar with PHP, is it possible for the user to take advantage of variable interpolation to get the value of secret?
<?php
$secret = 'hidden data';
echo $_GET['id'];
?>
I tried passing in for the id: $secret, %24secret, ${secret}, {$secret}, %7D%24secret%7D, %24%7Dsecret%7D. So far it seems safe, but just want to make sure I am not missing anything. Thanks in advance.
No, it's impossible for a user to retrieve hard-coded strings in this way.
No.
But use htmlentities($_GET["id"]) anyway because otherwise we can use cross-site scripting attacks (steal login cookies, session data, etc).