input url sanitizing
Posted: Mon Apr 13, 2009 11:11 pm
Hi Guys,
I've written my own simple CMS. I'm just curious about the security.
All my page request goes to a controller called index.php. index.php check if the requested url is exist in the database
if so then either include the page or fetch the content from the database. I'm just worried about sanitizing my GET varaible.
is this code addslashes(htmlentities($_GET["rt"])) is good enough for sanitizing?
//.htaccess
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule !^(css|images|files)/ index.php [NC,L]
RewriteRule ^(.*)$ index.php?rt=$1 [L,QSA]
<?Php
//http://wwww.mysite.com/aboutus/php-developer
$page=addslashes(htmlentities($_GET["rt"]));
$result=$db->query("SELECT * FROM ".PREFIX."_page WHERE page_url_alias='$page');
$page=$db->fetch_array($result);
if($db->num_rows($result)==1){
// check if the page uses a php file
if(!empty($page[page_file])){
file_exists($page[page_file])?include("$page[page_file]"):die("Sorry, page file doesn't exist");
}else{
$tpl=new Template();
$tpl->assign("content",$page);
$tpl->display("page.tpl");
}
}
}
?>
I've written my own simple CMS. I'm just curious about the security.
All my page request goes to a controller called index.php. index.php check if the requested url is exist in the database
if so then either include the page or fetch the content from the database. I'm just worried about sanitizing my GET varaible.
is this code addslashes(htmlentities($_GET["rt"])) is good enough for sanitizing?
//.htaccess
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule !^(css|images|files)/ index.php [NC,L]
RewriteRule ^(.*)$ index.php?rt=$1 [L,QSA]
<?Php
//http://wwww.mysite.com/aboutus/php-developer
$page=addslashes(htmlentities($_GET["rt"]));
$result=$db->query("SELECT * FROM ".PREFIX."_page WHERE page_url_alias='$page');
$page=$db->fetch_array($result);
if($db->num_rows($result)==1){
// check if the page uses a php file
if(!empty($page[page_file])){
file_exists($page[page_file])?include("$page[page_file]"):die("Sorry, page file doesn't exist");
}else{
$tpl=new Template();
$tpl->assign("content",$page);
$tpl->display("page.tpl");
}
}
}
?>