Hi everyone,
What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).
Thanks,
Web
Preventing users from changing URL
Moderator: General Moderators
-
webwalker2k
- Forum Newbie
- Posts: 1
- Joined: Fri Sep 08, 2006 8:16 pm
umm...
Code: Select all
$foo = $_GET['foo'];
switch($foo){
case 'bar':
echo "bar";
break;
case 'boofar':
echo "boofar";
break;
default:
echo "naughty naughty... don't type stuff in the url that isn't supposed to be there!";
}- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
Re: Preventing users from changing URL
When it comes down to input validation, you shouldn't draw a line between the superglobals get, post or cookie.webwalker2k wrote:Hi everyone,
What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).
Thanks,
Web
E.g. just take an html form with radio buttons. Every user could save the html page and then modify it, sending you his or her own "version" of the variables you actually would like to see. If you're only using a central index file which retrieves the actual content depending on an id (e.g. id=guestbook), I'd rely on in_array. If it gets more complex, regex might be an attractive idea as well.