Passing non-private/non-protected/non-sensitive values through the URL is quite widely used and a more reliable way of passing values from one page to another. The reason for this is, $_SERVER['HTTP_REFERER']
is totally unreliable and can never be trusted. It can also, in many case be an empty value. Check the two following posts for more details
You can make use of cookies as well, but with current law, and also something controlled on user side, it also isn’t mush better than $_SERVER['HTTP_REFERER']
.
Just a note, WordPress pass a lot of query vars through the URL in order to know which data to display on which page. You should however note that, while passing value through the URL is very reliable, it can be compromised and should NEVER EVER be treated safe. Hackers like to pass malicious code through the URL, if a hacker pass malicious code together with your custom query var, and you use that as is, your site and/or db can be compromised in a really bad way.
Don’t get me wrong here, using the $_GET
global variable to pass data is really good way to pass data between two pages, and there is nothing wrong with that. You need to remember this though, any user submitted data through ANY type of forms, text areas, URL’s, cookies, basically anything which requires any type of input or any data coming from client side apps, can be corrupted, and most probably is. You must never ever trust anyone, not even yourself. ALL INCOMING DATA must ALWAYS be sanitized, validated and/or escaped according to data type expected. This should be your number one priority and the top golden rule right on top of your list.
For as long as you keep to that one golden rule, you will be relatively safe, and I say relative safe as no piece of code will ever be secure. Sanitizing data and validating it against something static (if you can) before actually acting on that data will protect you against many “soft” attacks.
WordPress has lot of build in functions to take care of sanitation, escaping and validating data according to your needs and data type expected. Be sure to check this article in the codex on this topic. Alternatively, there are also filters available in PHP. For super globals, I tend to go with filter_input()
as it takes care of checking whether the var is set, and if set, returns the value. You also have the ability to filter/sanitize the value
EXAMPLE
$community = filter_input(
INPUT_GET, // Super global to use, in this case $_GET
'community', // The var to get a value from
FILTER_SANITIZE_STRING // Type of filter to apply, here sanitize the value as a string
);
if ( $community ) {
/**
* $community have a value, so $_GET["community"] is set.
* It is also safe to use now as the value was sanitized when we
* queried the value with filter_input
}