Forum Moderators: coopster
It has been a while since I have been on these forums, it feels good to be back :)
Currently I am working for a company and I have their site up and running. I do have a major security issue though that I need to resolve immediatly.
The problem I am having is I have no verification of variables sent from page to page. For example if someone clicks on a link which leads to a product category the addressbar reads details.php?catid=5. Now if they were to go and change the address bar to details.php?catid=5;drop database DBNAME; then that would pose a big security risk for me.
I don't know much on this subject so I need some help on how I could make sure this security risk can be resolved. Another thing which I might as well ask is...... I hear having less php code in the address bar and more of a description of what you are offering is good for search engines. Basically instead of having products.php?product_id=5 having products/networking/linksysrouter/ is best for SEO.
I plan on changing my site to scrap the PHP code, but what I'm wondering is if it would be best to just do it now, while I am doing the changes for the variable verification.
Thanks everyone for your help on this matter :)
Wes
You must ask for each one you want with ($action=$HTTP_GET_VARS["action"];)
if (is_int($_GET['id'])) {
$id=$_GET['id'];
} else {
$id=1;
}
which would default all random stuff to id 1. If you want to be slightly fuzzier you could do something like
$id=preg_replace("/[^0-9]/",$_GET['id']);
if (empty($id)) {
$id=1;
}
which has the same affect but will also convert "5; drop table blah" into 5.
Hope that helps.
I do have register globals off and I don't plan on turning it on.
What about converting the address bar php code to something more presentable. Which would also be better for SEO.
Thanks
that can get you started with mod_rewrite
