security url rewrite

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
methos
Forum Newbie
Posts: 13
Joined: Sat Oct 21, 2006 8:31 am

security url rewrite

Post by methos »

What code could I use to rewrite this first url into the second.

The reason being the extra information on the first url could change the price of a product.

Maybe my making it impossible to have a "?" in the url???

Code: Select all

http://www.mysite.com/cartsoftware/Cart.php?price=whatever
into

Code: Select all

http://www.mysite.com/cartsoftware/Cart.php
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

search for mod_rewrite
User avatar
wtf
Forum Contributor
Posts: 331
Joined: Thu Nov 03, 2005 5:27 pm

Post by wtf »

Why are you passing price via form in the first place???
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

"wtf" makes a good point.. I know people who got some really cheap TV's in the early days of e-commerce that way - it turns out that URL injection is protected as an "offer to purchase" in North America. It's up the the online store to confirm or reject it at that point. If only I had been a little more care-free...
methos
Forum Newbie
Posts: 13
Joined: Sat Oct 21, 2006 8:31 am

Post by methos »

How could I pass it without a form?
Last edited by methos on Sun Feb 25, 2007 3:17 pm, edited 1 time in total.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

the product should have a price in the DB - look it up by product ID
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I hate to break it to you but mod_rewrite isn't the solution for this sort of thing.

I think you should be looking to pass the product ID in the URL and then maybe extract the price from the DB based on the product ID.

Mod rewrite might be useful for making your URLs clean so you go from:

http://www.mysite.com/cartsoftware/Cart ... opage=true
and
http://www.mysite.com/cartsoftware/Cart ... epage=true

to:

http://www.mysite.com/store/books/1324/info/
and
http://www.mysite.com/store/books/1324/buy/

For this sort of setup, look for a mod_rewrite tutorial online.

:google:

If you have troubles implementing mod_rewrite, feel to come here and post about it, as there are many people here (me for example) that are mod_rewrite experts.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Moving this to the Installation and Configuration forum.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

:banghead:

I should have read the original post more carefully.. sorry!

To get rid of form data in the URL use POST. You still shouldn't be passing pricing information by form though, it's just as unsafe.
Post Reply