|
|
Posted by OmegaJunior on 01/13/07 21:16
On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <News@McKirahan.com> wrote=
:
>
> Why is "id=3D" easier and/or more scalable and/or more secure?
>
>
It's more scalable as a querystring parameter like '?id=3D1' than a full=
=
querystring like '?page1' because it lets you add more parameters to the=
=
querystring than just the querystring itself.
Instead of reading the entire querystring '?page1' using =
$_SERVER['QUERY_STRING'] and using the result 'page1' as a single =
parameter, you can string several parameters together inside a querystri=
ng =
using a & as separator like so: '?id=3D1&sort=3Da&lang=3Den' and read ea=
ch =
parameter with $_GET[parametername] like $_GET['id'] (results in '1'), =
$_GET['sort'] (results in 'a'), and $_GET['lang'] (results in 'en').
Which parameters you put into the querystring and what your code does wi=
th =
them, is your choice entirely, hence the scalability.
Look at Google's advanced search, for instance:
http://www.google.com/search?as_q=3Dtest&hl=3Den&rls=3Den&num=3D10&btnG=3D=
Google+Search&as_epq=3D&as_oq=3D&as_eq=3D&lr=3D&as_ft=3Di&as_filetype=3D=
&as_qdr=3Dall&as_nlo=3D&as_nhi=3D&as_occt=3Dany&as_dt=3Di&as_sitesearch=3D=
&as_rights=3D&safe=3Doff
Everything behind the first ? is the querystring, which contains no less=
=
than 19 parameters (some of which do have values, some of which don't).
Security comes in because of the way you intend to use the parameter =
value. If you would simply code
include($_SERVER['QUERY_STRING']);
you open up your code for all kinds of injection. Rule of thumb: don't =
trust a visitor's input. What prevents a malevolent visitor from =
requesting '?config.ini' or '?.htaccess' ? Nothing, because they can ent=
er =
it using their browser's address bar. But we can check for their input a=
nd =
allow only those values we trust, like so:
$idPageToInclude =3D $_GET['id']; /* parameter named 'id' by choice, =
could've just as easily be named 'page' */
if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers=
, =
for instance
$pathPageToInclude =3D 'page'.$idPageToInclude.'html'; //Create the =
complete file name
if (file_exists($pathPageToInclude)) { //Make sure it exists
include($pathPageToInclude);
} else {
print('File not found.');
}
}
Why do I want to accept numbers as input only? Because that way I can =
prevent that a malevolent user tries to pass something like =
'/../../passwords.xml/' into the querystring.
Hope this helps!
-- =
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
[Back to original message]
|