Jump to content

How to detect URL extensions (like ?this=value) in PHP


Go to solution Solved by cataiin,

Recommended Posts

Hello, 

right now, I am making a PHP page and I want to know how to make PHP detect what I call 'URL or domain extensions'. 

 

For example,  if the URL is index.php?code=123 , 

  • The URL is 'index.php' and 
  • The extension is ?code=123

I want to get the '123' value from the 'code' prefix to a variable so I can use it for other things like

#import 123 to variable 'code'
echo "$code";

Please tell me how this happens. 

 

Thx. 

P.S. If my English is faulty please forgive me. 

cataiin has it correct in how to get the info from a url... now for what each part is called of the URL is like this...

 

d11httpu.jpg

 

resource: http://docs.embarcadero.com/products/rad_studio/delphiAndcpp2009/HelpUpdate2/EN/html/devwin32/wserverpartsofauniformresourcelocator_xml.html

These "URL extensions" as you call them are named "query strings" and they are used to pass information whether it be to another file or directly to your CGI program of choice. They are very often used in web programming. 

 

To get the value of them, you use the $_GET super global array.

 

For example, if you have a URL www.example.com/blog.php?general=lee and you want to display the value of "general" you do this

echo $_GET['general'];

However, this approach will throw you a "Notice: Undefined index" when you first load the page before the query string has been appended, so it is better to first check whether value of "general" has been set with the isset() function like this:

if(isset($_GET['general'])){
    echo $_GET['general'];
}

And this is not entirely correct either because the golden rule says you can never trust user input so you must always validate the value of the query string with the numerous functions for that, depending on what you need it for. Like if you are going to display that value, you'd need to escape it with htmlentities() or if you are going to compare it in a DB you need to make sure it does not contain malicious code for SQL injection and so on.

 

When you have like two values in the query string like this: www.example.com/blog.php?general=lee&years=53

 

You just ignore the "&" and get the values by accessing their names like the previous example:

echo $_GET['general'], ' ' , $_GET['years'];

Query strings are awesome, use them!

Edited by Stefany93

Query strings are far from awesome as some serious abuse can happen through them if they're not properly handled, e.g. if register_globals is not disabled (in older PHP versions, this is the case), but there can be some even more serious abuse through other exploits.

Query strings are far from awesome as some serious abuse can happen through them if they're not properly handled, e.g. if register_globals is not disabled (in older PHP versions, this is the case), but there can be some even more serious abuse through other exploits.

 

I respectfully disagree - it doesn't matter what method you choose of accepting user input, as long as the input is properly validated/sanitized, then there is no problem. One should not avoid using query string only because they are easily manipulated for evil. You know HTTP headers can also be tweaked for evil purposes, does that mean we should stop using HTTP? 

 

Query strings are far from awesome as some serious abuse can happen through them if they're not properly handled, e.g. if register_globals is not disabled (in older PHP versions, this is the case), but there can be some even more serious abuse through other exploits.

 

In some cases a GET method is usable in some cases is less so. In my opinion POST and GET methods are equally safety if you're validated a data properly.

 

 

it doesn't matter what method you choose of accepting user input, as long as the input is properly validated/sanitized, then there is no problem.

 

@Stefi, you will save a lot of pain in the ass if you use a POST data method when you try to post a sensitive data to the server.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.