Piba Posted November 11, 2007 Share Posted November 11, 2007 Hello everyone, I have a question...If i have a site,for example www.mysite.com/index.php How can i prevent users from editing or typing in the url (for security)?? So, if the user wish to enter www.mysite.com/index.php?....... the browser will not accept any other word more than www.mysite.com/index.php Does anyone know?? Please i need it :'( :'( Thanks Piba Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/ Share on other sites More sharing options...
trq Posted November 11, 2007 Share Posted November 11, 2007 You cannot stop a user typing in the address bar of there browser. It is after all, there browser. You might want to elaberate on exactly what it is you want to achieve. Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389008 Share on other sites More sharing options...
MadTechie Posted November 11, 2007 Share Posted November 11, 2007 You can't stop them typing.. i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next) Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389010 Share on other sites More sharing options...
PHP_PhREEEk Posted November 11, 2007 Share Posted November 11, 2007 For the truly paranoid... unset($_POST); unset($_GET); at the top of index.php will void anything sent into your script from a browser. PhREEEk Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389014 Share on other sites More sharing options...
Piba Posted November 11, 2007 Author Share Posted November 11, 2007 You cannot stop a user typing in the address bar of there browser. It is after all, there browser. You might want to elaberate on exactly what it is you want to achieve. Hi...Actually i want to prevent the sql injection in the url.. So, i think if there is a way to prevent the user from typing or editing the url!!!!!!!!!! Any way thanks ----- You can't stop them typing.. i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next) Hi MadTechie.. Thanks for replying, but can you give me an example for that?? ----- For the truly paranoid... unset($_POST); unset($_GET); at the top of index.php will void anything sent into your script from a browser. PhREEEk Hi, I'll try this way Thanks bro Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389038 Share on other sites More sharing options...
redbullmarky Posted November 11, 2007 Share Posted November 11, 2007 injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it. you should have an idea of what format you expect input to be, so just check the input and make sure it's as expected. take a look at preg_match(), mysql_real_escape_string(), etc as a couple of functions that can be useful in checking/filtering user input, in addition to your usual if/else, etc. the rule of thumb is don't trust ANYTHING from get/post/cookie. my rules of thumb: 1, check/filter input using if,'s, else's, preg_match's, etc - reject anything slightly dodgy. 2, use mysql_real_escape_string on items before putting them in database 3, use htmlspecialchars if outputputting user inputted data to the screen to prevent XSS - a good example being where you're repopulating a form with data user has entered. (like a contact/registration form with errors) there's a fair bit to it, and you could do worse than look into this type of things very carefully. security is not something that should be taken lightly or overlooked in the slightest. hope that helps. Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389045 Share on other sites More sharing options...
PHP_PhREEEk Posted November 11, 2007 Share Posted November 11, 2007 injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it. Absolutely. But many of the solutions we are asked to provide are 'useless'. Breaking people's erroneous perceptions becomes tedious and argumentative. People believe what they believe at any given time, and only over time will they accept a new idea to replace a misunderstood one. So if it makes a new programmer feel more secure to unset unused submitted variables, I'll tell them how... hehe I've run into scripts where the author grabs the submitted variables he is expecting, then unsets the rest of them. Why? Who knows... it's just a perception that doing SOMETHING is better than nothing, even if that thinking is flawed. This is rampant with security issues, because it's so hard for a programmer to feel his code is secure. It quickly boils down to hauling out the ol' shotgun, and pray for the best... Regards, PhREEEk Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389055 Share on other sites More sharing options...
MadTechie Posted November 11, 2007 Share Posted November 11, 2007 You can't stop them typing.. i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next) Hi MadTechie.. Thanks for replying, but can you give me an example for that?? Quick example, <?php session_start(); $key = rand(1000,99999); $_SESSION['access'] = $key; echo "<a href=\"page2.php?access=$key\">link</a>"; ?> <?php session_start(); if($_GET['access'] != $_SESSION['access']) { echo "No Access"; exit; } session_destroy(); ?> welcome if you goto direct to page2.php it will say no access, if you click the link on page1.php it will goto page2.php and say welcome .. but if you refresh page2.php it will fail again. you can change this depends on the need of course with a login system your check the access right but for a page with a link, EDIT: as for injection read redbullmarky's post.. Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389073 Share on other sites More sharing options...
Piba Posted November 12, 2007 Author Share Posted November 12, 2007 injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it. you should have an idea of what format you expect input to be, so just check the input and make sure it's as expected. take a look at preg_match(), mysql_real_escape_string(), etc as a couple of functions that can be useful in checking/filtering user input, in addition to your usual if/else, etc. the rule of thumb is don't trust ANYTHING from get/post/cookie. my rules of thumb: 1, check/filter input using if,'s, else's, preg_match's, etc - reject anything slightly dodgy. 2, use mysql_real_escape_string on items before putting them in database 3, use htmlspecialchars if outputputting user inputted data to the screen to prevent XSS - a good example being where you're repopulating a form with data user has entered. (like a contact/registration form with errors) there's a fair bit to it, and you could do worse than look into this type of things very carefully. security is not something that should be taken lightly or overlooked in the slightest. hope that helps. Hi redbullmarky, yes i'm using $_POST & $_GET And i'm already using mysql_real_escape_string Thanks alot bro for all advises you gave them to me :) ----- injecting stuff into SQL/pages, etc is only an issue if you're actually USING post/get data. so unsetting it completely as suggested by PHP_PhREEEk would not be of much use, as you wouldnt be able to use it. Absolutely. But many of the solutions we are asked to provide are 'useless'. Breaking people's erroneous perceptions becomes tedious and argumentative. People believe what they believe at any given time, and only over time will they accept a new idea to replace a misunderstood one. So if it makes a new programmer feel more secure to unset unused submitted variables, I'll tell them how... hehe I've run into scripts where the author grabs the submitted variables he is expecting, then unsets the rest of them. Why? Who knows... it's just a perception that doing SOMETHING is better than nothing, even if that thinking is flawed. This is rampant with security issues, because it's so hard for a programmer to feel his code is secure. It quickly boils down to hauling out the ol' shotgun, and pray for the best... Regards, PhREEEk Hi PHP_PhREEEk, unset $_POST & unset $_GET will help :) Thanks for replying ------ You can't stop them typing.. i think you want to stop them accessing a URL directly.. maybe use sessions (set on one page and check its set on the next) Hi MadTechie.. Thanks for replying, but can you give me an example for that?? Quick example, <?php session_start(); $key = rand(1000,99999); $_SESSION['access'] = $key; echo "<a href=\"page2.php?access=$key\">link</a>"; ?> <?php session_start(); if($_GET['access'] != $_SESSION['access']) { echo "No Access"; exit; } session_destroy(); ?> welcome if you goto direct to page2.php it will say no access, if you click the link on page1.php it will goto page2.php and say welcome .. but if you refresh page2.php it will fail again. you can change this depends on the need of course with a login system your check the access right but for a page with a link, EDIT: as for injection read redbullmarky's post.. Hi MadTechie, Thanks alot bro for quick replying, and explaination That's will help me :) see ya Quote Link to comment https://forums.phpfreaks.com/topic/76837-how-can-i-prevent-users-from-typing-in-the-url/#findComment-389668 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.