|
|
Posted by Geoff Berrow on 01/14/07 15:00
Message-ID: <op.tl32qagg70mclq@cp139795-a.landg1.lb.home.nl> from
OmegaJunior contained the following:
>On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <News@McKirahan.com> wrote:
>
>>
>> Why is "id=" easier and/or more scalable and/or more secure?
>>
>>
>
>It's more scalable as a querystring parameter like '?id=1' than a full
>querystring like '?page1' because it lets you add more parameters to the
>querystring than just the querystring itself.
Up to a point. You could, of course do ?ham-eggs-cheese and explode the
query string to get three different variables
>
....
>Security comes in because of the way you intend to use the parameter
>value. If you would simply code
>include($_SERVER['QUERY_STRING']);
>you open up your code for all kinds of injection. Rule of thumb: don't
>trust a visitor's input. What prevents a malevolent visitor from
>requesting '?config.ini' or '?.htaccess' ? Nothing, because they can enter
>it using their browser's address bar. But we can check for their input and
>allow only those values we trust, like so:
>
>$idPageToInclude = $_GET['id']; /* parameter named 'id' by choice,
>could've just as easily be named 'page' */
>if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers,
>for instance
> $pathPageToInclude = 'page'.$idPageToInclude.'html'; //Create the
>complete file name
> if (file_exists($pathPageToInclude)) { //Make sure it exists
> include($pathPageToInclude);
> } else {
> print('File not found.');
> }
>}
I think it's a bit simpler to use an array (ie you can use your existing
filenames)
$page=array(1=>'page1.php',2=>'page2.php',3=>'anypage.php');
if(isset($_GET['id'])){
$PageToInclude=(isset($page[$_GET['id']]))?$page[$_GET['id']]:"errorpage.php";
//errorpage.php included if someone messes with the url.
include($PageToInclude);
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
Navigation:
[Reply to this message]
|