?
Solved

PHP Parsing Variables from URLS

Posted on 2006-10-20
5
Medium Priority
?
199 Views
Last Modified: 2006-11-21
Hello

I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS!

For example if the url is

www.mywebsite.com?ph=My Website&pt=Welcome Page&cf=home.htm

I then have a php file that is something like this:

<html>
<head>
<title>
<?php $val = $_GET['ph']; echo $val;?>
</title>
</head
<body>
<b><?php $val = $_GET['pt']; echo $val;?></b>
<p/>
<?php $val = $_GET['cf'];  Include '$val'; ?>
</body>
</html>

Any advice would be most welcome!

Thanks Andrew
0
Comment
Question by:andnewman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 17

Accepted Solution

by:
akshah123 earned 672 total points
ID: 17774434
Your code seems like it will work.  However there are security issues with it.  For example,

<?php $val = $_GET['cf'];  Include '$val'; ?>

Is a really bad idea as some one can easity inject their own script into your code.  This is BAD!!!

0
 
LVL 2

Assisted Solution

by:nowaydown1
nowaydown1 earned 664 total points
ID: 17777235
Hi Andrew:

As the previous expert mentioned, the way you're handling the $_GET variables does have security implications with it.  I wanted to expand on that a little and show you why its bad and present some solutions for how to correct them.

Take the following line for example:
<?php $val = $_GET['cf'];  Include '$val'; ?>

As an attacker this would present me with all sorts of interesting possibilities:

yourscript.php?cf=payroll.txt
yourscript.php?cf=passwords.txt

Should either of those files happen to exist they would be outputted right on the page for my viewing please, even if those files were protected from web access via a .htaccess file for example.  

The first thing I would do is create an array of allowed files for inclusion.  So you might have something like:

<?php
$validItemsForCf = array('home.htm','aboutus.htm');
$val = strtolower($_GET['cf']);
if(in_array($val, $validItemsForCf)) {
      include_once($val);
}
?>

The above code will only allow you to load files that exist in the $validItemsForCf array.  If I try to specify anything else other than the files listed in the array, my in_array check will fail, and it never tries to include anything.  Some other thoughts that come to mind relate to cleaning your user provided input.

<?php $val = $_GET['ph']; echo $val;?>

If your site deals with cookies and logins and like, this has to the potentional to open you up to XSS attacks.  This is a fairly large subject to cover, but I will point you to this article which should explain the related security risks.

http://www.informit.com/articles/article.asp?p=603037&seqNum=1&rl=1

Hope this helps a bit.  Have a good one!









 

0
 
LVL 1

Assisted Solution

by:comptech_engineering
comptech_engineering earned 664 total points
ID: 17781853
The example url that you have put in doesn't look like it has been url-encoded.

Will the url be created by using a form with the get method or are you typing this stuff into a link.
If you are using a link then anything after the "?" has to be url-encoded. PHP has got a function for this though: urlencode();
eg.

<?php
$link = urlencode("ph=My Website&pt=Welcome Page&cf=home.htm");
?>
<a href="www.mywebsite.com?<?=$link;?>">Click Here</a>
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question