Page 1 of 1
Preventing users from changing URL
Posted: Fri Sep 08, 2006 8:23 pm
by webwalker2k
Hi everyone,
What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).
Thanks,
Web
Posted: Fri Sep 08, 2006 8:26 pm
by Luke
umm...
Code: Select all
$foo = $_GET['foo'];
switch($foo){
case 'bar':
echo "bar";
break;
case 'boofar':
echo "boofar";
break;
default:
echo "naughty naughty... don't type stuff in the url that isn't supposed to be there!";
}
Posted: Sat Sep 09, 2006 11:07 am
by Chris Corbyn
Sanitization. Always work on the assumption that users are stupid

Posted: Sat Sep 09, 2006 11:26 am
by jayshields
d11wtq wrote:Sanitization. Always work on the assumption that users are stupid

Sanitization. Always work on the
fact that users are stupid

Re: Preventing users from changing URL
Posted: Sat Sep 09, 2006 6:04 pm
by aerodromoi
webwalker2k wrote:Hi everyone,
What would the best approach be when it comes to preventing web-users from changing URLs manually and getting unpredictable results ? (considering my client does want to use GET method rather than post).
Thanks,
Web
When it comes down to input validation, you shouldn't draw a line between the superglobals get, post or cookie.
E.g. just take an html form with radio buttons. Every user could save the html page and then modify it, sending you his or her own "version" of the variables you actually would like to see. If you're only using a central index file which retrieves the actual content depending on an id (e.g. id=guestbook), I'd rely on
in_array. If it gets more complex, regex might be an attractive idea as well.