homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Allowing Unwanted Query String Variables
Best practices question

 8:28 pm on Jan 30, 2010 (gmt 0)

I notice many sites allow page load if a user adds an additional query string variable to the URL. Sites and code I am familiar with just ignore the unwanted query string variable. What are the ramifications of restricting to your own keys or not restricting at all? If you are ignoring the unwanted variables does it matter at all?

The last bit of code I wrote I designed the CMS to intentionally 404 error if the end user adds a bogus query string variable. I am wondering perhaps this is a bad idea since other sites are allowing it for some reason and I remember once seeing in my apache logs some search engine bots adding bogus query strings to the URL when crawling my site.

For example authorized query


Bad query (user added f variable)

^^I would normally drop this but see other sites do not.



 9:21 pm on Jan 30, 2010 (gmt 0)

I tend to code in such a way that it doesn't matter if any other bogus values are specified.

if(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validString") {
} elseif(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validStringTwo") {
Page two
} else {
Generic home page

They can specify all the extra values they like and it'll make no difference - so why 404 it?


 9:54 pm on Jan 30, 2010 (gmt 0)

They can specify all the extra values they like and it'll make no difference - so why 404 it?

I was concerned they could use the url for some nefarious purpose I am not familiar with. So as long as my app is ignoring it I am ok then so something like this is not a concern?


But something like this I still have to 404 and strip <script>bad code</script> I assume?

test.com?id=233&f=http://www.othersite.com/dosomething<script>bad code</script>


 10:04 pm on Jan 30, 2010 (gmt 0)

Any client request for any non-canonical URL -- including the query string appended to that URL, should be 301-redirected to the canonical URL.

If you do not validate URLs and query strings, you're allowing *anyone* to create a duplicate-content issue for your site -- whether accidentally or intentionally.



 6:05 am on Jan 31, 2010 (gmt 0)

The URL is checked for validity and if it requires query string keys they are checked for validity.
If a key shows up that is not used I 404 it and if it is used but has bad data I send a 400 "bad request.

I however tested sending a bogus query string key to a valid page on a few of the most popular web sites on the internet and they still accept the request as http 200.

I am therefore thinking maybe I need to be less restrictive -- allow bogus keys in the URL and not redirect like they do. This since if your top websites are handling it that way maybe there is some good reason I am not aware of. (maybe some search engines that I see sending bogus keys in my logs)

Maybe I am just over thinking security measures and this is a non-issue. I always worry I am not doing enough or am I doing too much when it comes to security.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved