PHP Parsing Variables from URLS

Hello

I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS!

For example if the url is

www.mywebsite.com?ph=My Website&pt=Welcome Page&cf=home.htm

I then have a php file that is something like this:

<html>
<head>
<title>
<?php $val = $_GET['ph']; echo $val;?>
</title>
</head
<body>
<b><?php $val = $_GET['pt']; echo $val;?></b>
<p/>
<?php $val = $_GET['cf'];  Include '$val'; ?>
</body>
</html>

Any advice would be most welcome!

Thanks Andrew
andnewmanAsked:
Who is Participating?
 
akshah123Connect With a Mentor Commented:
Your code seems like it will work.  However there are security issues with it.  For example,

<?php $val = $_GET['cf'];  Include '$val'; ?>

Is a really bad idea as some one can easity inject their own script into your code.  This is BAD!!!

0
 
nowaydown1Connect With a Mentor Commented:
Hi Andrew:

As the previous expert mentioned, the way you're handling the $_GET variables does have security implications with it.  I wanted to expand on that a little and show you why its bad and present some solutions for how to correct them.

Take the following line for example:
<?php $val = $_GET['cf'];  Include '$val'; ?>

As an attacker this would present me with all sorts of interesting possibilities:

yourscript.php?cf=payroll.txt
yourscript.php?cf=passwords.txt

Should either of those files happen to exist they would be outputted right on the page for my viewing please, even if those files were protected from web access via a .htaccess file for example.  

The first thing I would do is create an array of allowed files for inclusion.  So you might have something like:

<?php
$validItemsForCf = array('home.htm','aboutus.htm');
$val = strtolower($_GET['cf']);
if(in_array($val, $validItemsForCf)) {
      include_once($val);
}
?>

The above code will only allow you to load files that exist in the $validItemsForCf array.  If I try to specify anything else other than the files listed in the array, my in_array check will fail, and it never tries to include anything.  Some other thoughts that come to mind relate to cleaning your user provided input.

<?php $val = $_GET['ph']; echo $val;?>

If your site deals with cookies and logins and like, this has to the potentional to open you up to XSS attacks.  This is a fairly large subject to cover, but I will point you to this article which should explain the related security risks.

http://www.informit.com/articles/article.asp?p=603037&seqNum=1&rl=1

Hope this helps a bit.  Have a good one!









 

0
 
comptech_engineeringConnect With a Mentor Commented:
The example url that you have put in doesn't look like it has been url-encoded.

Will the url be created by using a form with the get method or are you typing this stuff into a link.
If you are using a link then anything after the "?" has to be url-encoded. PHP has got a function for this though: urlencode();
eg.

<?php
$link = urlencode("ph=My Website&pt=Welcome Page&cf=home.htm");
?>
<a href="www.mywebsite.com?<?=$link;?>">Click Here</a>
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.