Do I need to sanitize a dynamic URL?

[DoubleDee]

I have added the concept of "Sections" to my website, and when my Article Listing script (i.e. "articles/index.php") runs for a selected Section, it dynamically creates a URL for every Article in the Section like this...

http://local.debbie/finance/articles/postage-meters-can-save-you-money

...where the Section is really just "cosmetic".


The actual Ugly URL would be something like this...

http://local.debbie/articles/article.php?slug=postage-meters-can-save-you-money


Now on to my problem...


Recently I discovered that a user can go in and modify the URL above to something like this...

http://local.debbie/BOGUS_SECTION/articles/postage-meters-can-save-you-money

...which kind of freaks me out?!

Ironically, my "articles/article.php" script still runs fine, because it is really just keying off of the "Article Slug" to go query the database and find the actual Article. But this still seems like a hole that needs fixing?!

So, what should I do here?

My "articles/article.php" script was written before I added the concept of "Sections", and so it doesn't do an Validation/Sanitizing of the "Section" part of the URL.

I'm not exactly sure the best way to fix this...

Suggestions??

Thanks,


Debbie

[logic_earth]

If you don't actually get the "section" within the script (because mod_rewrite doesn't send it) then there is nothing to do, no hole to fix.

One only needs to validate, filter, sanitize things that you use from the user input. If you never touch it within your code then you don't need to do anything with it.

[DoubleDee]

If you don't actually get the "section" within the script (because mod_rewrite doesn't send it) then there is nothing to do, no hole to fix.

One only needs to validate, filter, sanitize things that you use from the user input. If you never touch it within your code then you don't need to do anything with it.

I am wondering if the way I am going about all of this is hokey?!

When a user clicks on some navigation tab (e.g. "Finance"), then my "articles/index.php" script uses a $_GET['section'] to query the database for all Articles in that chosen Section.

With some Articles in hand, down in the HTML part of that script, I have this code which dynamically generates the URL's for each Article...

PHP Code:

    <!-- ARTICLE LISTING -->
    <div id="boxArticleIndex">
        <h2><?php echo $sectionName; ?> Articles</h2>

        <?php
            // ******************************************
            // Display Article-Summaries for a Section.    *
            // ******************************************
            while (mysqli_stmt_fetch($stmt1)){
                // Format Published On.
                $publishedOn = date('F j, Y', strtotime($publishedOn));

                // (e.g. "local.debbie/finance/articles/postage-meters-can-save-you-money")
                $articleURL = generateArticleURL($sectionSlug, $articleSlug);

                $summary = str_replace('{url}', $articleURL, $summary);

                echo "<div class='articleSummary'>
                        <h3>$heading</h3>
                        <a href='" . $articleURL . "'>$image</a>
                        <div class='date'>Published: $publishedOn</div>
                        $summary
                    </div>";
            }
        ?>

So for my "articles/index.php" script, I am using $_GET['section'].

However, the minute a user clicks on a link like this...

http://local.debbie/finance/articles/postage-meters-can-save-you-money

...my "articles/article.php" script fires, which is an Article Template.

In my .htaccess, I have this code...

Code:

#PRETTY:		articles/postage-meters-can-save-you-money
#UGLY:			articles/article.php?slug=postage-meters-can-save-you-money

#Rewrite only if the request is not pointing to a real file (e.g. add_comment.php, index.php).
RewriteCond %{REQUEST_FILENAME} !-f

#Match any kind of slug.  PHP will decide if it's valid or not.
RewriteRule articles/(.+)$ articles/article.php?slug=$1 [L]

So I am taking the "dynamic" Article URL, and parsing it up so the "Article Slug" is assigned to "?slug=", but my mod_rewrite does NOT do anything with the "faux Section", and that brings us to the current discussion...

It seems to me that I need a way to validate the "Section" in the URL when my "articles/article.php" script loads, right?



Debbie

[JamesColin]

no you don't need since the only problem would be to put something in the url in order to try to modify/hack what your script is doing with that modified part.
But since your script doesn't use this part of the url, then no hack is possible, so you're fine.

But yes, you should sanitize whatever GET parameters you take in your script, so in article.php it would be slug and in index.php it would be section.