Solved

PHP Parsing Variables from URLS

Posted on 2006-10-20
5
197 Views
Last Modified: 2006-11-21
Hello

I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS!

For example if the url is

www.mywebsite.com?ph=My Website&pt=Welcome Page&cf=home.htm

I then have a php file that is something like this:

<html>
<head>
<title>
<?php $val = $_GET['ph']; echo $val;?>
</title>
</head
<body>
<b><?php $val = $_GET['pt']; echo $val;?></b>
<p/>
<?php $val = $_GET['cf'];  Include '$val'; ?>
</body>
</html>

Any advice would be most welcome!

Thanks Andrew
0
Comment
Question by:andnewman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 17

Accepted Solution

by:
akshah123 earned 168 total points
ID: 17774434
Your code seems like it will work.  However there are security issues with it.  For example,

<?php $val = $_GET['cf'];  Include '$val'; ?>

Is a really bad idea as some one can easity inject their own script into your code.  This is BAD!!!

0
 
LVL 2

Assisted Solution

by:nowaydown1
nowaydown1 earned 166 total points
ID: 17777235
Hi Andrew:

As the previous expert mentioned, the way you're handling the $_GET variables does have security implications with it.  I wanted to expand on that a little and show you why its bad and present some solutions for how to correct them.

Take the following line for example:
<?php $val = $_GET['cf'];  Include '$val'; ?>

As an attacker this would present me with all sorts of interesting possibilities:

yourscript.php?cf=payroll.txt
yourscript.php?cf=passwords.txt

Should either of those files happen to exist they would be outputted right on the page for my viewing please, even if those files were protected from web access via a .htaccess file for example.  

The first thing I would do is create an array of allowed files for inclusion.  So you might have something like:

<?php
$validItemsForCf = array('home.htm','aboutus.htm');
$val = strtolower($_GET['cf']);
if(in_array($val, $validItemsForCf)) {
      include_once($val);
}
?>

The above code will only allow you to load files that exist in the $validItemsForCf array.  If I try to specify anything else other than the files listed in the array, my in_array check will fail, and it never tries to include anything.  Some other thoughts that come to mind relate to cleaning your user provided input.

<?php $val = $_GET['ph']; echo $val;?>

If your site deals with cookies and logins and like, this has to the potentional to open you up to XSS attacks.  This is a fairly large subject to cover, but I will point you to this article which should explain the related security risks.

http://www.informit.com/articles/article.asp?p=603037&seqNum=1&rl=1

Hope this helps a bit.  Have a good one!









 

0
 
LVL 1

Assisted Solution

by:comptech_engineering
comptech_engineering earned 166 total points
ID: 17781853
The example url that you have put in doesn't look like it has been url-encoded.

Will the url be created by using a form with the get method or are you typing this stuff into a link.
If you are using a link then anything after the "?" has to be url-encoded. PHP has got a function for this though: urlencode();
eg.

<?php
$link = urlencode("ph=My Website&pt=Welcome Page&cf=home.htm");
?>
<a href="www.mywebsite.com?<?=$link;?>">Click Here</a>
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question