Get Article ID based on current page

[doubledee]

I'm feeling a little overwhelmed/burned-out/confused... 

 

I have a page "article_index.php" that contains a summary of each article plus a link to it, e.g.

 

<a href="<?php echo WEB_ROOT; ?>articles/postage-meters-save-you-money">

 

When you click on a link, it goes to "article.php" and uses a mod_rewrite to transform the "pretty URL" to regular URL that "article.php" can use to query the correct article from my database.

 

-----

 

Here is what I need help with...

 

When a user is on a given article page, I want to store:

 

- ReturnToPath

- ArticleID

 

in the SESSION.

 

I am drawing a blank on how to get the "ArticleID" when a user is on a give page?! 

 

Hope you guys follow me?!

 

 

Debbie

 

[doddsey_65]

decode the url and then query the database for the id, given the name of the article?

[doubledee]

decode the url and then query the database for the id, given the name of the article?

 

Let's use a real example, doddsey...

 

You are at "article_index.php" and click on the link...

 

<a href="<?php echo WEB_ROOT; ?>articles/postage-meters-can-save-you-money">(Read Full Story)</a>

 

You are taken to the dynamic page...

 

http://local.development/articles/postage-meters-can-save-you-money

 

On this page, I want to capture...

 

1.) The current path of this page so I can return the user back to this article - after they log in or register - so they can add a comment.

 

2.) The Article ID so that I can use that to query other information and present it to the user after they log-in/register (e.g. "You are posting a comment to the article 'Postage Meters can Save You Money!!')

 

Sorry my brain isn't working tonight...    :-\

 

 

Debbie

 

[doddsey_65]

$_SERVER['SCRIPT_NAME'] will return the path of the script. You can just save that to a session to redirect after a login.

 

As for the ID. Php can only work with what you give it. You have only given it an article name so theres no way to get the id of the article. If the articles are being pulled from the database then you can query the database with the name of the article to pull the id of said article.

 

[doubledee]

$_SERVER['SCRIPT_NAME'] will return the path of the script. You can just save that to a session to redirect after a login.

 

Is that way safe?

 

Are there other ways?

 

What about ___FILE___ ?

 

It seems like there are multiple way to do the same thing which is part of what is so confusing?!

 

 

As for the ID. Php can only work with what you give it. You have only given it an article name so theres no way to get the id of the article. If the articles are being pulled from the database then you can query the database with the name of the article to pull the id of said article.

 

I have a field in my database called "article_title" and it what I use to build my "pretty URL" (e.g. articles/how-do-i-incorporate )

 

So I guess I want to grab that from the "pretty URL" and use that to query my database for the ArticleID, right?

 

How do I grab "how-do-i-incorporate" from a URL like "http: //www.mywebsite.com/articles/how-do-i-incorporate" ??

 

 

Debbie

 

 

[doddsey_65]

How do I grab "how-do-i-incorporate" from a URL like "http: //www.mywebsite.com/articles/how-do-i-incorporate" ??

 

well that depends what is within your htaccess file to rewrite the url. Its essentially just a get parameter so it would be something like

 

$article_name = $_GET['article'];

 

Is that way safe?

 

What's not safe about it. How else are you going to redirect back to the page. There are several ways to grab url path. That just happens to be the one I use.

 

[doubledee]

How do I grab "how-do-i-incorporate" from a URL like "http: //www.mywebsite.com/articles/how-do-i-incorporate" ??

 

well that depends what is within your htaccess file to rewrite the url.

 

Here is my .htaccess file...

 

RewriteEngine on

#PRETTY:		articles/postage-meters-can-save-you-money
#UGLY:		article.php?title=postage-meters-can-save-you-money

RewriteRule articles/([a-zA-Z0-9_-]+)$ article.php?title=$1

 

 

So would I do this...

 

$article_name = $_GET['title'];

 

Does that look right?

 

 

Is that way safe?

 

What's not safe about it. How else are you going to redirect back to the page. There are several ways to grab url path. That just happens to be the one I use.

 

Well, I have head that $_SERVER['PHP_SELF'] is dangerous to use because it is susceptable to attacks/hacking?! 

 

 

Debbie

 

 

[doddsey_65]

yes you would use $_GET['title']

[cssfreakie]

Well, I have heared that $_SERVER['PHP_SELF'] is dangerous to use because it is susceptable to attacks/hacking?! 

 

Yes $_SERVER['PHP_SELF'] can not be trusted. (so if you use it use htmlspecialchars() on it or htmlentities() and than it is not dangerous anymore)

 

but $_SERVER['SCRIPT_NAME'] can be trusted.

 

p.s. the reason why $_SERVER['PHP_SELF'] is not save is because one can inject stuff in the part of your form action by appending javascript to the url

[doubledee]

Well, I have heared that $_SERVER['PHP_SELF'] is dangerous to use because it is susceptable to attacks/hacking?! 

 

Yes $_SERVER['PHP_SELF'] can not be trusted. (so if you use it use htmlspecialchars() on it or htmlentities() and than it is not dangerous anymore)

 

Hey, could you explain how htmlspecialchars() works??   

 

 

but $_SERVER['SCRIPT_NAME'] can be trusted.

 

 

What about $_SERVER['REQUEST_URI']??

 

 

Debbie

 

 

[darkfreaks]

outputting htmlentities or htmlspecialchars around the output makes sure no one can inject XSS into your form. or in your case inject XSS attacks into your URL.

[cssfreakie]

edit: in addition to darkfreaks

debbie, use $_SERVER['SCRIPT_NAME']

 

REQUEST_URL has the exact same flaws.... it can be altered, and thus not be trusted as is.

Hey, could you explain how htmlspecialchars() works??

BTW, I think I already explained what htmlspecialchars and htmlentities do in another topic yesterday. But here goes again. So pay attention 

 

Anything that comes from outside (userinput), Like $_POST, $_GET $_COOKIE, but also REQUEST_URL etcetera are subject to injection. In case you want to output stuff. You want to prevent that someone can inject for instance javascript in the browser.

 

Run this in your browser to see a simple thing you don't want to allow your users.

<script>alert('xss')</script>

 

If you look in the manual you will see (if you did) that htmlspecialchars and htmlentities will convert certain characters in to htmlentities, and infact taking away their meaning.

 

So if you would run this

 

$string = '<script>alert('xss')</script>';

echo $string;

you will get a pop up.

 

If you run it through htmlspecialchars or htmlentities you wont. (why....? answer is already given)

 

$string = '<script>alert('xss')</script>';

echo htmlspecialchars($string);

 

Run this and than view your source (right-click view source in your browser) you will see that for instance the < and the >  are converted, making the javascript meaningless. infact you can't call it javascript anymore.

 

Hope this helps. But as said earlier read the security tutorial here at phpfreaks. It will help a lot

[doubledee]

edit: in addition to darkfreaks

debbie, use $_SERVER['SCRIPT_NAME']

 

REQUEST_URL has the exact same flaws.... it can be altered, and thus not be trusted as is.

 

Ewww...  Don't say that!!  I just got my script working?!  

 

Umm...  I need something like $_SERVER['REQUEST_URI']; because I need the Script Name + Query String!!

 

 

Hey, could you explain how htmlspecialchars() works??

 

BTW, I think I already explained what htmlspecialchars and htmlentities do in another topic yesterday. But here goes again. So pay attention 

 

I was being SARCASTIC!!!!  (But your extra explanation was good reinforcement!!) 

 

 

 

Debbie

 

P.S.  Yes, I will read up more on these security issues as I have time and start to understand this stuff better.  (After a week of asking a bizillion questions, I am slowly starting to get some of this...

 

 

[cssfreakie]

Umm...  I need something like $_SERVER['REQUEST_URI']; because I need the Script Name + Query String!!

 

no you don't append the article name to $_SERVER['SCRIPT_NAME']

This is php you can do that.

$var = $_SERVER['SCRIPT_NAME'].'/'.$articleid;

 

small tip:

 

Just echo these $_SERVER variables out and see what they are.

Like

$_SERVER['PHP_SELF']

$_SERVER['SCRIPT_NAME']

$_SERVER['SCRIPT_FILENAME']

$_SERVER['REQUEST_URL']

etc

[doubledee]

Umm...  I need something like $_SERVER['REQUEST_URI']; because I need the Script Name + Query String!!

 

no you don't append the article name to $_SERVER['SCRIPT_NAME']

This is php you can do that.

$var = $_SERVER['SCRIPT_NAME'].'/'.$articleid;

 

So I can build my Return To Page like this??

 

// Set Article Title.
$articleTitle = $_GET['title'];

$_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME'] . '/' . $articleTitle;

 

Is that what you are saying?

 

 

And why exactly is it that some of these built in constants (??) are dangerous and others like the one you are pointing me towards are supposedly safe?! 

 

 

Debbie

 

 

[cssfreakie]

 

So I can build my Return To Page like this??

 

// Set Article Title.
$articleTitle = $_GET['title'];

$_SESSION['returnToPage'] = $_SERVER['SCRIPT_NAME'] . '/' . $articleTitle;

 

Is that what you are saying?

pretty much yes. Keep in mind though the $_GET variable is user input so make sure when you query a database to run it through the appropriate function

And why exactly is it that some of these built in constants (??) are dangerous and others like the one you are pointing me towards are supposedly safe?! 

 

The moment someone can influence input it should be considered as unsafe. (user input) And user input is not only a $_POST or $_GET variable.

SCRIPT_NAME can not be influenced.

To understand this the only way is to test it out and read alot. (hence echo $_SERVER variables)

 

SCRIPT_NAME just uses the script name (which is always the same)

 

PHP_SELF and REQUEST_URL can change all the time (and can be influenced on purpose, which is why you can't rely on it)

Just test it. Make a page with a form in it, as action use echo $_SERVER['PHP_SELF'] than append some weird stuff after your url  like so

domain.com/index.php/someweirdstuff  if you press submit you can still see the /weirdstuff  in your browser(which i typed myself) so nothing stops me to add some javascript there. SO in a nutshell any 'potential' user input can not be trusted.

 

But before you panic. First make sure the basic logic of your script stands. Afterwards let someone have a look at it if there might be security flaws.

 

 

[doubledee]

But before you panic. First make sure the basic logic of your script stands. Afterwards let someone have a look at it if there might be security flaws.

 

Expect a call from me soon... 

 

 

Debbie

 

 

[cssfreakie]

But before you panic. First make sure the basic logic of your script stands. Afterwards let someone have a look at it if there might be security flaws.

 

Expect a call from me soon... 

 

 

Debbie

 

Okay have a look at the attachment, I included a folder with page A B and C. although they are static, you can do the same with a database.

Run that and press the buttons. half way clear you cookies refresh the page and do it again. Hope it helps try to see the logic in it. It's just a simple thing.

 

Its very easy to build a link with that as a back button.

 

[attachment deleted by admin]