Page 1 of 1

security url rewrite

Posted: Sat Jan 20, 2007 9:12 am
by methos
What code could I use to rewrite this first url into the second.

The reason being the extra information on the first url could change the price of a product.

Maybe my making it impossible to have a "?" in the url???

Code: Select all

http://www.mysite.com/cartsoftware/Cart.php?price=whatever
into

Code: Select all

http://www.mysite.com/cartsoftware/Cart.php

Posted: Sat Jan 20, 2007 9:26 am
by Kieran Huggins
search for mod_rewrite

Posted: Sat Jan 20, 2007 11:57 am
by wtf
Why are you passing price via form in the first place???

Posted: Sat Jan 20, 2007 12:57 pm
by Kieran Huggins
"wtf" makes a good point.. I know people who got some really cheap TV's in the early days of e-commerce that way - it turns out that URL injection is protected as an "offer to purchase" in North America. It's up the the online store to confirm or reject it at that point. If only I had been a little more care-free...

Posted: Sat Jan 20, 2007 2:11 pm
by methos
How could I pass it without a form?

Posted: Sat Jan 20, 2007 2:56 pm
by Kieran Huggins
the product should have a price in the DB - look it up by product ID

Posted: Sat Jan 20, 2007 3:23 pm
by m3mn0n
I hate to break it to you but mod_rewrite isn't the solution for this sort of thing.

I think you should be looking to pass the product ID in the URL and then maybe extract the price from the DB based on the product ID.

Mod rewrite might be useful for making your URLs clean so you go from:

http://www.mysite.com/cartsoftware/Cart ... opage=true
and
http://www.mysite.com/cartsoftware/Cart ... epage=true

to:

http://www.mysite.com/store/books/1324/info/
and
http://www.mysite.com/store/books/1324/buy/

For this sort of setup, look for a mod_rewrite tutorial online.

:google:

If you have troubles implementing mod_rewrite, feel to come here and post about it, as there are many people here (me for example) that are mod_rewrite experts.

Posted: Sat Jan 20, 2007 3:34 pm
by m3mn0n
Moving this to the Installation and Configuration forum.

Posted: Sat Jan 20, 2007 5:52 pm
by Kieran Huggins
:banghead:

I should have read the original post more carefully.. sorry!

To get rid of form data in the URL use POST. You still shouldn't be passing pricing information by form though, it's just as unsafe.