Ok quick question. I am sending errors through URL in intergers only
(../index?err=4)
then when it gets there I am filtering that error with
$errorget = filter_input(
INPUT_GET, 'err', $filter = FILTER_SANITIZE_NUMBER_INT
);
I then use a switch to select appropriate echo.
switch ($errorget) {
case "4":
$error = 'Error1';
break;
case "61":
$error = 'Error2';
break;
case "33":
$error = 'Error3';
break;
case '51':
$error = 'Error4';
break;
default:
$error = null;
}
echo $error;
Ok so, is this a safe method and is there a vulnerability with this way to help avoid XSS?
Thank you in advance.
If you're seriously worried about it being a number, just cast it as such
$errorget = (int)$_GET['err']; //this is always a number
Next, this really isn't a candidate for XSS attacks because you're not outputting the data anywhere (i.e. echo $_GET['err']). Providing bad data in this case will simply do... nothing. As in $error = null; Providing a list of what should happen on the other end avoids XSS entirely.
In addition to what @Machavity writes about int case and XSS vulnerability, I would recommend not to use a switch/case for something as simple as printing an error message but to use an array instead:
$errorMessages = array(
4 => 'Error1',
61 => 'Error2',
33 => 'Error3',
51 => 'Error4',
);
echo $errorMessages[$errorget];
Output (with $errorget == 61):
Error2