Kaitosoto Posted February 18, 2007 Share Posted February 18, 2007 So I have my script that takes a lot of variables like: http://www.mysite.com/script.php?id=6&pin=7654&desk=thisbigone I currently get variables with $_GET in the script, which I feel is very vulnerable to abuse as users can type all that out in the address bar and change the id and pin to their advantage. My question is, how do I make it so that users cannot type all that out and execute the script in the browser address bar and forcing them to have to click on a link that is on my sites index.php in order to execute that line of code? Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted February 18, 2007 Share Posted February 18, 2007 You can't - you can check the values passed though and make sure that they are what you expect - its called validation. Quote Link to comment Share on other sites More sharing options...
tcollie Posted February 18, 2007 Share Posted February 18, 2007 YOU CAN! Just check to make sure that the referring page is from a page within your site. If it is entered directly into the address bar, then re-direct them to an error page. I use this technique in my online game that I'm building to keep people from typing in info and taking certain shortcuts. So for instance, let's say that your script.php file is linked to from your index page and other links within your site. If they click any link on your page, it sets a referring page that you can get using a php script and compare the referring link to your site base (i.e., mysite.com). If the referring page isn't from your site, redirect to an error page. If the referring page is from your site, then let them continue. Does that make any sense? Here is the part of my code that does this. $root = 'localhost'; $webserver = apache_request_headers(); if (!eregi($root, $webserver['Referer'])) { //Re-direct header('Location: forbidden.php'); } else { //Allow entry to site } One thing to remember though is this. Only include this on pages where you don't want people to access via direct links, such as bookmarks. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted February 18, 2007 Share Posted February 18, 2007 @tcollie, so what happens if the user is logged in and on a page within the site and types the information into the address bar? The referrer will be within the site and they will have done exactly what the OP didn't want. As ToonMariner pointed out, validate the data before you use it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.