?
Solved

PHP Parsing Variables from URLS

Posted on 2006-10-20
5
Medium Priority
?
205 Views
Last Modified: 2006-11-21
Hello

I am very new to PHP and I am trying to parse the values of variables from a URL into a web page. to build a very simple CMS!

For example if the url is

www.mywebsite.com?ph=My Website&pt=Welcome Page&cf=home.htm

I then have a php file that is something like this:

<html>
<head>
<title>
<?php $val = $_GET['ph']; echo $val;?>
</title>
</head
<body>
<b><?php $val = $_GET['pt']; echo $val;?></b>
<p/>
<?php $val = $_GET['cf'];  Include '$val'; ?>
</body>
</html>

Any advice would be most welcome!

Thanks Andrew
0
Comment
Question by:andnewman
3 Comments
 
LVL 17

Accepted Solution

by:
akshah123 earned 672 total points
ID: 17774434
Your code seems like it will work.  However there are security issues with it.  For example,

<?php $val = $_GET['cf'];  Include '$val'; ?>

Is a really bad idea as some one can easity inject their own script into your code.  This is BAD!!!

0
 
LVL 2

Assisted Solution

by:nowaydown1
nowaydown1 earned 664 total points
ID: 17777235
Hi Andrew:

As the previous expert mentioned, the way you're handling the $_GET variables does have security implications with it.  I wanted to expand on that a little and show you why its bad and present some solutions for how to correct them.

Take the following line for example:
<?php $val = $_GET['cf'];  Include '$val'; ?>

As an attacker this would present me with all sorts of interesting possibilities:

yourscript.php?cf=payroll.txt
yourscript.php?cf=passwords.txt

Should either of those files happen to exist they would be outputted right on the page for my viewing please, even if those files were protected from web access via a .htaccess file for example.  

The first thing I would do is create an array of allowed files for inclusion.  So you might have something like:

<?php
$validItemsForCf = array('home.htm','aboutus.htm');
$val = strtolower($_GET['cf']);
if(in_array($val, $validItemsForCf)) {
      include_once($val);
}
?>

The above code will only allow you to load files that exist in the $validItemsForCf array.  If I try to specify anything else other than the files listed in the array, my in_array check will fail, and it never tries to include anything.  Some other thoughts that come to mind relate to cleaning your user provided input.

<?php $val = $_GET['ph']; echo $val;?>

If your site deals with cookies and logins and like, this has to the potentional to open you up to XSS attacks.  This is a fairly large subject to cover, but I will point you to this article which should explain the related security risks.

http://www.informit.com/articles/article.asp?p=603037&seqNum=1&rl=1

Hope this helps a bit.  Have a good one!









 

0
 
LVL 1

Assisted Solution

by:comptech_engineering
comptech_engineering earned 664 total points
ID: 17781853
The example url that you have put in doesn't look like it has been url-encoded.

Will the url be created by using a form with the get method or are you typing this stuff into a link.
If you are using a link then anything after the "?" has to be url-encoded. PHP has got a function for this though: urlencode();
eg.

<?php
$link = urlencode("ph=My Website&pt=Welcome Page&cf=home.htm");
?>
<a href="www.mywebsite.com?<?=$link;?>">Click Here</a>
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
This article discusses how to implement server side field validation and display customized error messages to the client.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question