Aro Posted December 27, 2010 Share Posted December 27, 2010 I have coded a database and I dont like how the user can edit the titles through the get variable. Is there anyway I could stop that? Wouldnt getting each request from the database slow down the site? <?php include "config.php"; include "functions.php"; $SITEURL = addSlash($SITEURL); $action = $_GET['action']; $state = $_GET['state']; $city = $_GET['city']; $id = $_GET['id']; echo $SITEURL; switch($action) { case 'cities': include 'templates/cities.php'; break; case 'place': include 'templates/place.php'; break; case 'places': include 'templates/places.php'; break; default: include 'templates/home.php'; break; } ?> #places.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title><?php echo $siteTitle; ?></title> </head> <body> <h2><?php echo $SITETOPIC." in ".$city.",".getStateName($state); ?></h2> <?php $query = "SELECT DISTINCT biz_name, biz_id FROM animalshelter WHERE city = '".$city."'"; $result = mysql_query($query) or die(mysql_error()); while ($row = mysql_fetch_array($result)) { echo "<a href=http://".$SITEURL."place/".$state."/".urlencode($city)."/".$row['biz_id'].">".$row['biz_name']."</a><br />"; } ?> </body> </html> #.htaccess # .htaccess mod_rewrite # demo.com Options +FollowSymlinks Options +Indexes RewriteEngine On RewriteBase /databaseSite/ ErrorDocument 404 /templates/404.php RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)$ index.php?action=$1&state=$2 [QSA,NC] RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)/([a-zA-Z\+\_\-]+)$ index.php?action=$1&state=$2&city=$3 [QSA,NC] RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)/([a-zA-Z\+\_\-]+)/([0-9]+)$ index.php?action=$1&state=$2&city=$3&id=$4 [QSA,NC] Quote Link to comment Share on other sites More sharing options...
the182guy Posted December 27, 2010 Share Posted December 27, 2010 You're looking at it the wrong way - you can't stop users messing with the $_GET vars, what you need to do is validate them and verify them with the database, for example check if the title exists with the db before allowing it to be shown on screen. Always keep in mind the possibility of XSS attacks when you are displaying data on the screen that could have come from user input. Quote Link to comment Share on other sites More sharing options...
Aro Posted December 27, 2010 Author Share Posted December 27, 2010 Do have any idea on the BEST way to go about that? any ideas? Quote Link to comment Share on other sites More sharing options...
the182guy Posted December 27, 2010 Share Posted December 27, 2010 You must have a table in the db that stores the city, state etc, so just do a lookup to check the state, city etc exists in the database. You could also check that the city is within the inputted state if your db structures is setup that way. When doing the lookup, if the state does not exist you know the user has messed with the $_GET variable. $city = mysql_real_escape_string($_GET['city']); SELECT COUNT(*) FROM cities WHERE city = '$city' Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.