I have rules in my .htaccess for pages, show property id etc...
I want to make sure I validate every parameter I get to the right query im getting.
I have:
RewriteRule ^(.*)$ page.php?page=$1
RewriteRule ^property/(.*)$ property.php?pid=$1
so in my php I do:
$page = $_GET['page'];
and
$propertyid = $_GET['pid'];
Now I need to secure them but I want to know which method is best to use to secure these and that is where im lost.
Source: Tips4all
I would say to use these rules:
ReplyDeleteRewriteRule ^([a-z0-9]+)/?$ page.php?page=$1 [L,NC]
RewriteRule ^property/([0-9]+)/?$ property.php?pid=$1 [L,NC]
this way if someone enters any characters other than letters and numbers (for pages) and numbers (for property) it will show a page not found.
If you want really to be sure, you can
$page = mysql_real_escape_string($_GET['page']); just make sure your database connection is open and you can cast the pid like $propertyid = (int)$_GET['pid'];
i think with page parameter you should have a list of acept pages, then after get 'page', you check if 'page' is in accept list.
ReplyDeleteFor example :
$arr_pages = ('page1','page2','page3');
$page = $_GET['page'];
if(in_array($page,$arr_pages))
{
// do some thing
}
else
{
// page not found
}
And id :
$propertyid = intval($_GET['pid']);
hope this help :)