php query string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

php query string

Post by goldensparrow »

hi everyone i have some question to ask to you. i found some web which it puzzle me, that web has url that

Code: Select all

http://xxx.xxx.xxx/answer_view.php?head=4
and i added single code in the url like this

Code: Select all

http://xxx.xxx.xxx/answer_view.php?head=4'
it show result of the page like result of url http://xxx.xxx.xxx/xxx.php?xxx=4 , and then i added parameter like this

Code: Select all

http://xxx.xxx.xxx/xxx.php?xxx=4aaaaaa
no matter what i add it would show the same page but when i add it like this

Code: Select all

http://xxx.xxx.xxx/xxx.php?xxx=aaa4
it show error page , in my thought i think no matter what i add to url string which it's before number 4 , mysql will return false and if it's after number 4 mysql will return true but i want to know , why ? can anybody tell me about this issue thanks in advance
DaiLaughing
Forum Commoner
Posts: 76
Joined: Thu Jul 16, 2009 8:03 am

Re: php query string

Post by DaiLaughing »

You really need to show us the code which is handling the $_GET values.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: php query string

Post by goldensparrow »

i have no code becuase i found this web in google , i just want to know when i add 4aaaaaa why the query result is true but aaaaa4 why the query result is false , it should be false both of 2 query, isn't it ?
DaiLaughing
Forum Commoner
Posts: 76
Joined: Thu Jul 16, 2009 8:03 am

Re: php query string

Post by DaiLaughing »

For a start we don't know what the query is so how can we say?
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: php query string

Post by goldensparrow »

actually the web which i found in google like this web forums.devnetwork.net/viewforum.php?f=1 you can also add parameter like i added to this web and you can see the result like i saw . pls try and tell me why the result is like this

Code: Select all

viewforum.php?f=1aaa

Code: Select all

viewforum.php?f=aaa1
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: php query string

Post by goldensparrow »

one more thing if you can't understand what i said you can ask me , my native language is not english so my english skill is not well
DaiLaughing
Forum Commoner
Posts: 76
Joined: Thu Jul 16, 2009 8:03 am

Re: php query string

Post by DaiLaughing »

Are you just asking what the f=1 means?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php query string

Post by jackpf »

I've noticed this as well - if you add characters after an ID, it will still show the same ID, but if you add characters before, it'll mess up.


For example, check this out:
viewtopic.php?f=1&t=103621 will show this thread
viewtopic.php?f=1&t=103621afakjhgjkashjdghdasd will show this thread
viewtopic.php?f=1&t=asdgasdg103621 will not show this thread

I think mysql must attempt to convert strings to integers when comparing them to int columns. That's the only thing I can think of....
Last edited by jackpf on Fri Jul 24, 2009 6:02 am, edited 1 time in total.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: php query string

Post by goldensparrow »

no i want to know why result of page viewforum.php?f=1 like the result of url viewforum.php?f=1aaa ?, do you understand me ?, sorry if i puzzle you
Last edited by goldensparrow on Fri Jul 24, 2009 6:27 am, edited 1 time in total.
DaiLaughing
Forum Commoner
Posts: 76
Joined: Thu Jul 16, 2009 8:03 am

Re: php query string

Post by DaiLaughing »

That certainly puzzles me! They look the same. Did you mean f=1 and f=1aaa?

If so it will be because the scripts sanitise the data to prevent users from hacking the server through the PHP. They are probably stripping away the letters as only numbers are expected.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php query string

Post by jackpf »

That's what I said lol.
goldensparrow
Forum Commoner
Posts: 30
Joined: Wed Jun 17, 2009 3:31 am

Re: php query string

Post by goldensparrow »

thank you very much for your replies jackpf and DaiLaughing , and i want to know which php function that be used in this case to strip characters (letters) ?
UnknownOne
Forum Newbie
Posts: 5
Joined: Thu Jul 23, 2009 8:52 am

Re: php query string

Post by UnknownOne »

It must be because number inputs have been set to be ignored/dismissed.

This can be done by limiting a certain string using a certain function. <-Wierd sentence. xD

Code: Select all

 
$_GET['id'] = abs(@intval($_GET['id']));
if(!$_GET['id'])
{
echo "Either you didn't specify an ID, or you attempted to use an invalid ID";
$h->endpage();
exit;
}
 
Something like that will restrict it to numbers only I guess.
Credit to Anthony for the help.

goldensparrow wrote:thank you very much for your replies jackpf and DaiLaughing , and i want to know which php function that be used in this case to strip characters (letters) ?
I'm not too sure but I'm a fan of str_replace()
DaiLaughing
Forum Commoner
Posts: 76
Joined: Thu Jul 16, 2009 8:03 am

Re: php query string

Post by DaiLaughing »

Sorry jack I somehow missed your post.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: php query string

Post by jackpf »

Lol no problem.

I think it might be similiar to this:

Code: Select all

 
$i = '345';
echo (int) $i; //should output 345
$i = '345aaa';
echo (int) $i; //should output 345 as well
$i = 'aaa345';
echo (int) $i; //should output 0
 
I'd make a guess that mysql does similiar conversions when comparing something to an int column.
Post Reply