Page 1 of 1

Preventing users from changing URL

Posted: Fri Sep 08, 2006 8:23 pm
by webwalker2k
Hi everyone,

What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).

Thanks,

Web

Posted: Fri Sep 08, 2006 8:26 pm
by Luke
umm...

Code: Select all

$foo = $_GET['foo'];
switch($foo){
    case 'bar':
        echo "bar";
        break;
    case 'boofar':
        echo "boofar";
        break;
    default:
        echo "naughty naughty... don't type stuff in the url that isn't supposed to be there!";
}

Posted: Sat Sep 09, 2006 11:07 am
by Chris Corbyn
Sanitization. Always work on the assumption that users are stupid :)

Posted: Sat Sep 09, 2006 11:26 am
by jayshields
d11wtq wrote:Sanitization. Always work on the assumption that users are stupid :)
Sanitization. Always work on the fact that users are stupid :)

:D

Re: Preventing users from changing URL

Posted: Sat Sep 09, 2006 6:04 pm
by aerodromoi
webwalker2k wrote:Hi everyone,

What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).

Thanks,

Web
When it comes down to input validation, you shouldn't draw a line between the superglobals get, post or cookie.

E.g. just take an html form with radio buttons. Every user could save the html page and then modify it, sending you his or her own "version" of the variables you actually would like to see. If you're only using a central index file which retrieves the actual content depending on an id (e.g. id=guestbook), I'd rely on in_array. If it gets more complex, regex might be an attractive idea as well.