homepage Welcome to WebmasterWorld Guest from 54.163.72.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Allowing Unwanted Query String Variables
Best practices question
Kahless




msg:4071166
 8:28 pm on Jan 30, 2010 (gmt 0)

I notice many sites allow page load if a user adds an additional query string variable to the URL. Sites and code I am familiar with just ignore the unwanted query string variable. What are the ramifications of restricting to your own keys or not restricting at all? If you are ignoring the unwanted variables does it matter at all?

The last bit of code I wrote I designed the CMS to intentionally 404 error if the end user adds a bogus query string variable. I am wondering perhaps this is a bad idea since other sites are allowing it for some reason and I remember once seeing in my apache logs some search engine bots adding bogus query strings to the URL when crawling my site.

For example authorized query

test.com?id=1&a=b

Bad query (user added f variable)
test.com?id=1&a=b&f=http://www.webmasterworld.com

^^I would normally drop this but see other sites do not.

 

Readie




msg:4071191
 9:21 pm on Jan 30, 2010 (gmt 0)

I tend to code in such a way that it doesn't matter if any other bogus values are specified.

if(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validString") {
Page
} elseif(isset($_GET['WhatImInterestedIn']) && $_GET['WhatImInterestedIn'] == "validStringTwo") {
Page two
} else {
Generic home page
}

They can specify all the extra values they like and it'll make no difference - so why 404 it?

Kahless




msg:4071202
 9:54 pm on Jan 30, 2010 (gmt 0)

They can specify all the extra values they like and it'll make no difference - so why 404 it?

I was concerned they could use the url for some nefarious purpose I am not familiar with. So as long as my app is ignoring it I am ok then so something like this is not a concern?

test.com?id=233&f=http://www.someothersite.com/dosomething

But something like this I still have to 404 and strip <script>bad code</script> I assume?

test.com?id=233&f=http://www.othersite.com/dosomething<script>bad code</script>

jdMorgan




msg:4071208
 10:04 pm on Jan 30, 2010 (gmt 0)

Any client request for any non-canonical URL -- including the query string appended to that URL, should be 301-redirected to the canonical URL.

If you do not validate URLs and query strings, you're allowing *anyone* to create a duplicate-content issue for your site -- whether accidentally or intentionally.

Jim

Kahless




msg:4071373
 6:05 am on Jan 31, 2010 (gmt 0)

The URL is checked for validity and if it requires query string keys they are checked for validity.
If a key shows up that is not used I 404 it and if it is used but has bad data I send a 400 "bad request.

I however tested sending a bogus query string key to a valid page on a few of the most popular web sites on the internet and they still accept the request as http 200.

I am therefore thinking maybe I need to be less restrictive -- allow bogus keys in the URL and not redirect like they do. This since if your top websites are handling it that way maybe there is some good reason I am not aware of. (maybe some search engines that I see sending bogus keys in my logs)

Maybe I am just over thinking security measures and this is a non-issue. I always worry I am not doing enough or am I doing too much when it comes to security.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved