I am going thru the code on my site before I launch it, trying to make sure I haven't left any gaping holes.
I am using an .htaccess file with this code: RewriteRule ^(.*)$ index.php?parameters=$1 [QSA,L] so that my url
looks like this: mywebsite.com/bananas/ripe/20 instead of mywebsite.com?pagename=bananas&website=ripe&picture=20
and, in the top of the index.php file, I am doing this:
$parameters = explode('/', $_GET[parameters]);
$_GET[pagename] = htmlspecialchars($parameters);
$_GET[website] = htmlspecialchars($parameters);
$_GET[picture] = intval(htmlspecialchars($parameters));
My question is: can I now use $_GET[pagename] in my code, or is there another way for an attacker to do something
evil with my $_GET variables? Also, is htmlspecialchars enough doing it this way? I also do mysql_real_escape_string() with
any mysql selects.