SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Checking a location encode is safe

    I've created two functions to use on a site that uses a "send to" variable (like you go to a logged in only page, which sends you to the log in page with a get variable of whatever that other page, so when you log in it sends you to the original page).

    PHP Code:
    /**
     * Encodes page and uri query information
     * 
     * page_encode('search', array('key' => 'value', 'foo' => 'bar')) will return "search/key:value/foo:bar"
     *
     * @param string $page
     * @param array $arguements
     * @return string
     */
    function page_encode ($page$arguements = array())
    {
        
    $array = array();
        
    $array[] = $page;
        if (!empty(
    $arguements))
        {
            foreach (
    $arguements as $k => $v)
            {
                
    $array[] = $k.':'.$v;
            }
        }
        return 
    urlencode(implode('/'$array));
    }

    /**
     * Decondes page and uri query information to a usable location
     *
     * page_decode('search/key:value/foo:bar') will return "search.php?key=value&foo=bar"
     * 
     * @param string $page
     * @return string
     */
    function page_decode ($page)
    {
        
    $part explode('/'$page);
        
    $parts count($part);
        
    $link $part[0].'.php';
        if (
    $parts 1)
        {
            
    $link .= '?';
            
    $arguements = array();
            for (
    $i 1$i $parts$i++)
            {
                
    $split explode(':'$part[$i]);
                
    $arguements[] = $split[0].'='.$split[1];
            }
            
    $link .= implode('&'$arguements);
        }
        return 
    $link;

    But i want to create a function that will validate the 'sendto' value as safe.

    Not sure which way to go about it ? What's most effective ?

    If it's with regular expressions i'm completely useless at them.
    Would it be effective and just as fast to explode the whole thing and check each part bit by bit than to create one complex regular expression for it ?

    Basicly i want to make sure there's no domain for anything on the page bit, and no file extention, then no dodgy stuff in the rest, and that it's all formed properly etc.

    thanks ! : )

    PS if you have any tips on improving the encode / decode functions that'd be wonderful ! ^^
    Last edited by WakeMeWithAKiss; Jun 2, 2009 at 17:29. Reason: typo

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    I haven't tried these just yet, but I'm confident they function as expected.
    PHP Code:
    function page_encode $page$args = array() )
    {
        
    $args http_build_query$args'flag_''/' );
        
    $args str_repeat'='':'$args );

        return 
    "$page/$args";
    }

    function 
    page_decode $page )
    {
        list( 
    $page$args ) = explode'/'$page);
        
    $args str_replace( array( '/'':' ), array( '&''=' ), $args );
        
        return 
    "$page.php?$args";

    As for validation, well that depends on the what characters you want to allow.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Much simpler way of doing it than mine, thanks :P

    Well i want to block any links on the page side mainly as it's going to be used in the code as:
    PHP Code:
    header('Location: '.page_decode($string)); 
    And i just want the rest to be anything normally allowed in the query part of the URI.
    Anything else i'd need for security sake ?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •