Jump to content

Redirect if User inputs a Bad QueryString - How?


BrazilMac

Recommended Posts

Hello,

 

I have managed to work redirection on a php script for specific rules, but I dont know how I can redirect someone that inputs a bad querystring or empty one, either maliciously or by mistake.

 

I have the following code :

 

    $auction_identifier = $_GET["picture"];

 

    $con = mysql_connect(DB_HOST ,DB_USER, DB_PASS);

    mysql_select_db(DB_NAME, $con);

 

$sql_sel_auct = "select * from auctions_table WHERE auction_ID = $auction_identifier";

 

$result_set_auct = mysql_query($sql_sel_auct) or die(mysql_error());

$row = mysql_fetch_array($result_set_auct);

 

$auction_itemnumber = $row['auction_URL'];

$auction_id = $row['auction_ID'];

 

echo "<body onLoad=\"javascript:f.submit();\"> \n";

echo "<form name=\"f\" method=\"post\" action=\"index.php\"> \n";

echo "<input type=\"hidden\" name=\"r\" value=\"yes\">' \n";

echo "<input type=\"hidden\" name=\"hiddenid\" value=\"$auction_id\">\n";

echo "<input type=\"hidden\" name=\"hiddenitemnumber\" value=\"$auction_itemnumber\">\n";

echo "</form> \n";

echo "\n";

 

This works fine if the querystring is something like index.php?picture=somevalue . But if there is an empty string, or a bad querystring (like index.php?dsfsdfsd=sdfsdf ) MySQL will throw this error:

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1"

 

I guess it has to do with either the variable $auction_identifier being empty or the querystring being bad.

 

How do I redirect on either one of those conditions????

 

 

Thanks again!

change

$sql_sel_auct = "select * from auctions_table WHERE auction_ID = $auction_identifier";

 

to

 

$sql_sel_auct = "select * from auctions_table WHERE auction_ID = '$auction_identifier'";

 

or

 

do something like

 

<?php
if(is_numeric($_GET["picture"])){
         code
}
else
{
         error
}
?>

Bad input should be avoided not only for appearance, but for security too. If u dont write the right code u could end up with your data destroyed, passwords taken away, etc. So:

 

<?php
$id = intval($_GET['id']); //clean input converting it to int
$results = @mysql_query("SELECT picture FROM album WHERE id=$id");
if(mysql_num_rows($results) == 0){
     header('Location: pagenotfound.php');
}
//other code
?>

 

if in place of 'id' (which is numeric) u would have a string get variable:

<?php
$title = mysql_real_escape_string($_GET['title']);
$results = @mysql_query("SELECT picture FROM album WHERE title='$title'");
if(mysql_num_rows($results) == 0){
     header('Location: pagenotfound.php');
}
//other code
?>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.