Posted by McKirahan on 01/14/07 21:53

> "OmegaJunior" <omegajunior@spamremove.home.nl> wrote in message
news:op.tl32qagg70mclq@cp139795-a.landg1.lb.home.nl...
> On Sat, 13 Jan 2007 19:16:08 +0100, McKirahan <News@McKirahan.com> wrote:
>
> >
> > Why is "id=" easier and/or more scalable and/or more secure?
> >
> >
>
> It's more scalable as a querystring parameter like '?id=1' than a full
> querystring like '?page1' because it lets you add more parameters to the
> querystring than just the querystring itself.

I understand; however, I only intend to pass a page reference.

[snip]

> Security comes in because of the way you intend to use the parameter
> value. If you would simply code
> include($_SERVER['QUERY_STRING']);
> you open up your code for all kinds of injection. Rule of thumb: don't
> trust a visitor's input. What prevents a malevolent visitor from
> requesting '?config.ini' or '?.htaccess' ? Nothing, because they can
enter
> it using their browser's address bar.

However, I construct the page name from the QueryString;
I don't load whatever is passed in.

[snip]

> But we can check for their input and
> allow only those values we trust, like so:

> if (is_numeric($idPageToInclude)) { //If I'd want to accept only numbers,

I like the numeric only input and will use it.

> if (file_exists($pathPageToInclude))

I'll use this too.

> Why do I want to accept numbers as input only? Because that way I can
> prevent that a malevolent user tries to pass something like
> '/../../passwords.xml/' into the querystring.
>
> Hope this helps!

It does! Thanks for the education.

[Back to original message]