How can i prevent users from typing in the url???

[Piba]

Hello everyone,

I have a question...If i have a site,for example www.mysite.com/index.php

How can i prevent users from editing or typing in the url (for security)??

So, if the user wish to enter www.mysite.com/index.php?.......

the browser will not accept any other word more than www.mysite.com/index.php

 

Does anyone know??

 

Please i need it :'( :'(

 

Thanks

 

Piba

[trq]

You cannot stop a user typing in the address bar of there browser. It is after all, there browser.

 

You might want to elaberate on exactly what it is you want to achieve.

[MadTechie]

You can't stop them typing..

 

i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next)

[PHP_PhREEEk]

For the truly paranoid...

 

unset($_POST);
unset($_GET);

 

at the top of index.php will void anything sent into your script from a browser.

 

PhREEEk

[Piba]

You cannot stop a user typing in the address bar of there browser. It is after all, there browser.

 

You might want to elaberate on exactly what it is you want to achieve.

 

Hi...Actually i want to prevent the sql injection in the url..

So, i think if there is a way to prevent the user from typing or editing the url!!!!!!!!!!

Any way thanks

 

-----

 

You can't stop them typing..

 

i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next)

 

Hi MadTechie.. Thanks for replying, but can you give me an example for that??

 

-----

 

For the truly paranoid...

 

unset($_POST);
unset($_GET);

 

at the top of index.php will void anything sent into your script from a browser.

 

PhREEEk

 

Hi, I'll try this way

Thanks bro

[redbullmarky]

injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it.

 

you should have an idea of what format you expect input to be, so just check the input and make sure it's as expected.

take a look at preg_match(), mysql_real_escape_string(), etc as a couple of functions that can be useful in checking/filtering user input, in addition to your usual if/else, etc.

 

the rule of thumb is don't trust ANYTHING from get/post/cookie.

 

my rules of thumb:

1, check/filter input using if,'s, else's, preg_match's, etc - reject anything slightly dodgy.

2, use mysql_real_escape_string on items before putting them in database

3, use htmlspecialchars if outputputting user inputted data to the screen to prevent XSS - a good example being where you're repopulating a form with data user has entered. (like a contact/registration form with errors)

 

there's a fair bit to it, and you could do worse than look into this type of things very carefully. security is not something that should be taken lightly or overlooked in the slightest.

 

hope that helps.

[PHP_PhREEEk]

injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it.

 

Absolutely. But many of the solutions we are asked to provide are 'useless'. Breaking people's erroneous perceptions becomes tedious and argumentative. People believe what they believe at any given time, and only over time will they accept a new idea to replace a misunderstood one. So if it makes a new programmer feel more secure to unset unused submitted variables, I'll tell them how... hehe  I've run into scripts where the author grabs the submitted variables he is expecting, then unsets the rest of them. Why? Who knows... it's just a perception that doing SOMETHING is better than nothing, even if that thinking is flawed. This is rampant with security issues, because it's so hard for a programmer to feel his code is secure. It quickly boils down to hauling out the ol' shotgun, and pray for the best...

 

Regards,

PhREEEk

[MadTechie]

You can't stop them typing..

 

i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next)

 

Hi MadTechie.. Thanks for replying, but can you give me an example for that??

 

 

Quick example,

<?php
session_start();
$key = rand(1000,99999);
$_SESSION['access'] = $key;
echo "<a href=\"page2.php?access=$key\">link</a>";
?>

 

 

<?php
session_start();
if($_GET['access'] != $_SESSION['access'])
{
echo "No Access";
exit;
}
session_destroy();
?>

welcome 

if you goto direct to page2.php it will say no access, if you click the link on page1.php it will goto page2.php and say welcome .. but if you refresh page2.php it will fail again. you can change this depends on the need

 

of course with a login system your check the access right but for a page with a link,

 

 

EDIT: as for injection read redbullmarky's post..

 

[Piba]

injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it.

 

you should have an idea of what format you expect input to be, so just check the input and make sure it's as expected.

take a look at preg_match(), mysql_real_escape_string(), etc as a couple of functions that can be useful in checking/filtering user input, in addition to your usual if/else, etc.

 

the rule of thumb is don't trust ANYTHING from get/post/cookie.

 

my rules of thumb:

1, check/filter input using if,'s, else's, preg_match's, etc - reject anything slightly dodgy.

2, use mysql_real_escape_string on items before putting them in database

3, use htmlspecialchars if outputputting user inputted data to the screen to prevent XSS - a good example being where you're repopulating a form with data user has entered. (like a contact/registration form with errors)

 

there's a fair bit to it, and you could do worse than look into this type of things very carefully. security is not something that should be taken lightly or overlooked in the slightest.

 

hope that helps.

 

Hi redbullmarky, yes i'm using $_POST & $_GET

And i'm already using mysql_real_escape_string

Thanks alot bro for all advises you gave them to me :)

 

-----

 

injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it.

 

Absolutely. But many of the solutions we are asked to provide are 'useless'. Breaking people's erroneous perceptions becomes tedious and argumentative. People believe what they believe at any given time, and only over time will they accept a new idea to replace a misunderstood one. So if it makes a new programmer feel more secure to unset unused submitted variables, I'll tell them how... hehe  I've run into scripts where the author grabs the submitted variables he is expecting, then unsets the rest of them. Why? Who knows... it's just a perception that doing SOMETHING is better than nothing, even if that thinking is flawed. This is rampant with security issues, because it's so hard for a programmer to feel his code is secure. It quickly boils down to hauling out the ol' shotgun, and pray for the best...

 

Regards,

PhREEEk

 

Hi PHP_PhREEEk,

unset $_POST & unset $_GET will help :)

Thanks for replying

 

------

 

You can't stop them typing..

 

i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next)

 

Hi MadTechie.. Thanks for replying, but can you give me an example for that??

 

 

Quick example,

<?php
session_start();
$key = rand(1000,99999);
$_SESSION['access'] = $key;
echo "<a href=\"page2.php?access=$key\">link</a>";
?>

 

 

<?php
session_start();
if($_GET['access'] != $_SESSION['access'])
{
echo "No Access";
exit;
}
session_destroy();
?>

welcome 

if you goto direct to page2.php it will say no access, if you click the link on page1.php it will goto page2.php and say welcome .. but if you refresh page2.php it will fail again. you can change this depends on the need

 

of course with a login system your check the access right but for a page with a link,

 

 

EDIT: as for injection read redbullmarky's post..

 

 

Hi MadTechie,

Thanks alot bro for quick replying, and explaination

That's will help me

:)

 

see ya