[SOLVED] How to disable the values in address bar??

[chanchelkumar]

Hi Friends,

 

Am trying with a social network site... i want to disable the values in address bar which are passing as string variables, My pages are included in the index page.. and my values are passing like that... by changing the values in address bar my page is changing..

 

How can i solve this issue... i think anyone can change my site using this address bar.. how could i prevent this???

 

Help me...

[Aureole]

Post some code... I have no idea what you're talking about.

[chanchelkumar]

suppose this is my URL:

http://node5/communitywebsite/index.php?page=profile&usrid=80

This is appearing in my address bar....

I can change my page by changing this page and usrid   ...

 

i want to hide this one..

 

 

[Aureole]

That's the way it works... you can't really hide $_GET['id'] ... don't you want people to be able to change the page and profile id?

[chanchelkumar]

Hi Aureole....

 

But i want only through the user side,,,, not through the address bar (Manually) ....

 

by this way a third party can hack my page using this address bar...(For ex: if the page id=controlpage and id=my id)

[MasterACE14]

your using a switch statement for this right? like this?

$_GET['page']

 

and then you have a switch statement to display the correct page?

[chanchelkumar]

Am using $_REQUEST['page'].....

 

 

[btherl]

Have you looked at sessions?  With those, you can store the user id on the server instead of in $_GET

[chanchelkumar]

am using session for storing userid.. but it will show when i submit my changes?? with that the id will be displayed in address bar....

[chanchelkumar]

Any one here to help me?

 

[btherl]

The problem of people changing the address bar is solved by checking the values they submit and verifying them.  There's no easy way around that.

 

If you want to avoid showing the values in the address bar then you can use post instead of get.  But that provides no additional security.  You must still verify the values.

[chanchelkumar]

Well but how could i disable a link which is called through

 

<a href= www.mysite.com/index.php?page=mypage&usid=44></a>

 

My problem is the if user say 44 can access  48's page only by changing this usid in address bar,,,,,

 

How to solve this???

[d22552000]

since he is using $_REQUEST, this is POST and GET.

 

Change ALL Your forms to submit to POST instead of GET

 

... <form method="POST" ...

[smithygotlost]

you could always cheat

 

rather than giving them all that in the address bar why dont you put a frame over the top of it ?!?

 

so that people go to

 

http://www.YOURSITE.com

 

and the frame inside loads the rest inside it ? that way people would not see the under links they could right click and copy link but in the code below is something to stop that ! unfortunatly if you get someone who really wants to get to your site its possible as with anything to do with computers try this

 

call this your index.html

 

<html>
<head>
<title>
YOUR SITE NAME
</title>

<script language="JavaScript">
<!--

var message="Sorry, that function is disabled.\nThis Page Copyrighted and\nImages and Text protected!\nALL RIGHTS RESERVED"; 

// Don't edit below!

function click(e) {
if (document.all) {
if (event.button == 2) {
alert(message);
return false;
}
}
if (document.layers) {
if (e.which == 3) {
alert(message);
return false;
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=click;
// --> 

</script>

</head>
<body>

<iframe width="100%" height="100%" frameborder=no src="<---Change To Your Site Address--->" 

allowTransparency="true">
</iframe>

</body>
</html>

 

give it a go ! should help you out

thanks

mike

 

p.s if this dont work let me know ill work something out

[chanchelkumar]

Thanks mike....

 

It works...

 

Thank you for your help!!!!!!!!!!

[smithygotlost]

YAY i did something right

[thebadbad]

I see your problem is 'solved', but I have to suggest you to use Apache's mod_rewrite, IF your server is an Apache of course.

 

When I code my sites I normally have my index.php serving all pages (like you), i.e. index.php?page=blog etc.  I then use mod_rewrite to 'hide' the file name and query string, thus having URLs like http://example.com/blog/. That's one of your problems solved. Read this article to get started with rewriting URLs: http://www.yourhtmlsource.com/sitemanagement/urlrewriting.html.

 

Like people are suggesting, you should verify your query strings, only allowing the pages that actually outputs stuff. I use a simple array of allowed pages, and then check if the query string in question is part of that array, like this:

 

<?php
$page_array = array("blog", "and", "the", "rest", "of", "pages");
if (in_array($_GET['page'], $page_array)) {
	$page_exists = "TRUE";
} else {
	$page_exists = "FALSE";
}
?>

 

And then I output my 404 error message if $page_exists = "FALSE". You could also send users to another page if the query string is not in the array of allowed pages, and make sure that php stops executing code, like this:

 

<?php
$page_array = array("blog", "and", "the", "rest", "of", "pages");
if (!in_array($_GET['page'], $page_array)) {
	header("Location: URLTOPAGE");
	exit;
}
?>

 

Remember that headers have to be sent before anything else, so this code snippet needs to be in the very top of your index.php.

 

Hope I could help, or at least give you some ideas!

[NixNod]

You can simply verify if the page that user is in, is the same of the session on the user ex:

<?php
//...
if ($_GET['id'] != $_SESSION['id']) {
    die('You are trying to cheat you little bastard');

} 

//YOUR PROTECTED PAGE CODE HERE

//...
?>

 

I think it is the best and more secure way to pass data through GET URL without people cheat your code.