Solved

PHP Parsing Variables from URLS

Posted on 2006-10-20
5
196 Views
Last Modified: 2006-11-21
Hello

I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS!

For example if the url is

www.mywebsite.com?ph=My Website&pt=Welcome Page&cf=home.htm

I then have a php file that is something like this:

<html>
<head>
<title>
<?php $val = $_GET['ph']; echo $val;?>
</title>
</head
<body>
<b><?php $val = $_GET['pt']; echo $val;?></b>
<p/>
<?php $val = $_GET['cf'];  Include '$val'; ?>
</body>
</html>

Any advice would be most welcome!

Thanks Andrew
0
Comment
Question by:andnewman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 17

Accepted Solution

by:
akshah123 earned 168 total points
ID: 17774434
Your code seems like it will work.  However there are security issues with it.  For example,

<?php $val = $_GET['cf'];  Include '$val'; ?>

Is a really bad idea as some one can easity inject their own script into your code.  This is BAD!!!

0
 
LVL 2

Assisted Solution

by:nowaydown1
nowaydown1 earned 166 total points
ID: 17777235
Hi Andrew:

As the previous expert mentioned, the way you're handling the $_GET variables does have security implications with it.  I wanted to expand on that a little and show you why its bad and present some solutions for how to correct them.

Take the following line for example:
<?php $val = $_GET['cf'];  Include '$val'; ?>

As an attacker this would present me with all sorts of interesting possibilities:

yourscript.php?cf=payroll.txt
yourscript.php?cf=passwords.txt

Should either of those files happen to exist they would be outputted right on the page for my viewing please, even if those files were protected from web access via a .htaccess file for example.  

The first thing I would do is create an array of allowed files for inclusion.  So you might have something like:

<?php
$validItemsForCf = array('home.htm','aboutus.htm');
$val = strtolower($_GET['cf']);
if(in_array($val, $validItemsForCf)) {
      include_once($val);
}
?>

The above code will only allow you to load files that exist in the $validItemsForCf array.  If I try to specify anything else other than the files listed in the array, my in_array check will fail, and it never tries to include anything.  Some other thoughts that come to mind relate to cleaning your user provided input.

<?php $val = $_GET['ph']; echo $val;?>

If your site deals with cookies and logins and like, this has to the potentional to open you up to XSS attacks.  This is a fairly large subject to cover, but I will point you to this article which should explain the related security risks.

http://www.informit.com/articles/article.asp?p=603037&seqNum=1&rl=1

Hope this helps a bit.  Have a good one!









 

0
 
LVL 1

Assisted Solution

by:comptech_engineering
comptech_engineering earned 166 total points
ID: 17781853
The example url that you have put in doesn't look like it has been url-encoded.

Will the url be created by using a form with the get method or are you typing this stuff into a link.
If you are using a link then anything after the "?" has to be url-encoded. PHP has got a function for this though: urlencode();
eg.

<?php
$link = urlencode("ph=My Website&pt=Welcome Page&cf=home.htm");
?>
<a href="www.mywebsite.com?<?=$link;?>">Click Here</a>
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question