Preventing users from changing URL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
webwalker2k
Forum Newbie
Posts: 1
Joined: Fri Sep 08, 2006 8:16 pm

Preventing users from changing URL

Post by webwalker2k »

Hi everyone,

What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).

Thanks,

Web
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

umm...

Code: Select all

$foo = $_GET['foo'];
switch($foo){
    case 'bar':
        echo "bar";
        break;
    case 'boofar':
        echo "boofar";
        break;
    default:
        echo "naughty naughty... don't type stuff in the url that isn't supposed to be there!";
}
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Sanitization. Always work on the assumption that users are stupid :)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

d11wtq wrote:Sanitization. Always work on the assumption that users are stupid :)
Sanitization. Always work on the fact that users are stupid :)

:D
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Re: Preventing users from changing URL

Post by aerodromoi »

webwalker2k wrote:Hi everyone,

What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).

Thanks,

Web
When it comes down to input validation, you shouldn't draw a line between the superglobals get, post or cookie.

E.g. just take an html form with radio buttons. Every user could save the html page and then modify it, sending you his or her own "version" of the variables you actually would like to see. If you're only using a central index file which retrieves the actual content depending on an id (e.g. id=guestbook), I'd rely on in_array. If it gets more complex, regex might be an attractive idea as well.
Post Reply