Posted by OmegaJunior on 01/13/07 21:16

On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <News@McKirahan.com> wrote=
:

>
> Why is "id=3D" easier and/or more scalable and/or more secure?
>
>

It's more scalable as a querystring parameter like '?id=3D1' than a full=
=

querystring like '?page1' because it lets you add more parameters to the=
=

querystring than just the querystring itself.

Instead of reading the entire querystring '?page1' using =

$_SERVER['QUERY_STRING'] and using the result 'page1' as a single =

parameter, you can string several parameters together inside a querystri=
ng =

using a & as separator like so: '?id=3D1&sort=3Da&lang=3Den' and read ea=
ch =

parameter with $_GET[parametername] like $_GET['id'] (results in '1'), =

$_GET['sort'] (results in 'a'), and $_GET['lang'] (results in 'en').

Which parameters you put into the querystring and what your code does wi=
th =

them, is your choice entirely, hence the scalability.

Look at Google's advanced search, for instance:
http://www.google.com/search?as_q=3Dtest&hl=3Den&rls=3Den&num=3D10&btnG=3D=
Google+Search&as_epq=3D&as_oq=3D&as_eq=3D&lr=3D&as_ft=3Di&as_filetype=3D=
&as_qdr=3Dall&as_nlo=3D&as_nhi=3D&as_occt=3Dany&as_dt=3Di&as_sitesearch=3D=
&as_rights=3D&safe=3Doff

Everything behind the first ? is the querystring, which contains no less=
=

than 19 parameters (some of which do have values, some of which don't).

Security comes in because of the way you intend to use the parameter =

value. If you would simply code
include($_SERVER['QUERY_STRING']);
you open up your code for all kinds of injection. Rule of thumb: don't =

trust a visitor's input. What prevents a malevolent visitor from =

requesting '?config.ini' or '?.htaccess' ? Nothing, because they can ent=
er =

it using their browser's address bar. But we can check for their input a=
nd =

allow only those values we trust, like so:

$idPageToInclude =3D $_GET['id']; /* parameter named 'id' by choice, =

could've just as easily be named 'page' */
if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers=
, =

for instance
$pathPageToInclude =3D 'page'.$idPageToInclude.'html'; //Create the =

complete file name
if (file_exists($pathPageToInclude)) { //Make sure it exists
include($pathPageToInclude);
} else {
print('File not found.');
}
}

Why do I want to accept numbers as input only? Because that way I can =

prevent that a malevolent user tries to pass something like =

'/../../passwords.xml/' into the querystring.

Hope this helps!

-- =

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

• Next in forum: sessions and persistence?
• Prev in forum: Re: Include Content pages in Master page
• Thread view: Re: Include Content pages in Master page

[Reply to this message]