Monday, May 21, 2012

Validate url parameters in php


I have rules in my .htaccess for pages, show property id etc...



I want to make sure I validate every parameter I get to the right query im getting.



I have:




RewriteRule ^(.*)$ page.php?page=$1
RewriteRule ^property/(.*)$ property.php?pid=$1



so in my php I do:




$page = $_GET['page'];



and




$propertyid = $_GET['pid'];



Now I need to secure them but I want to know which method is best to use to secure these and that is where im lost.


Source: Tips4all

2 comments:

  1. I would say to use these rules:

    RewriteRule ^([a-z0-9]+)/?$ page.php?page=$1 [L,NC]
    RewriteRule ^property/([0-9]+)/?$ property.php?pid=$1 [L,NC]


    this way if someone enters any characters other than letters and numbers (for pages) and numbers (for property) it will show a page not found.

    If you want really to be sure, you can

    $page = mysql_real_escape_string($_GET['page']); just make sure your database connection is open and you can cast the pid like $propertyid = (int)$_GET['pid'];

    ReplyDelete
  2. i think with page parameter you should have a list of acept pages, then after get 'page', you check if 'page' is in accept list.
    For example :

    $arr_pages = ('page1','page2','page3');
    $page = $_GET['page'];
    if(in_array($page,$arr_pages))
    {
    // do some thing
    }
    else
    {
    // page not found
    }


    And id :

    $propertyid = intval($_GET['pid']);


    hope this help :)

    ReplyDelete