SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Do I need to sanitize a dynamic URL?

    I have added the concept of "Sections" to my website, and when my Article Listing script (i.e. "articles/index.php") runs for a selected Section, it dynamically creates a URL for every Article in the Section like this...

    http://local.debbie/finance/articles/postage-meters-can-save-you-money

    ...where the Section is really just "cosmetic".


    The actual Ugly URL would be something like this...

    http://local.debbie/articles/article.php?slug=postage-meters-can-save-you-money


    Now on to my problem...


    Recently I discovered that a user can go in and modify the URL above to something like this...

    http://local.debbie/BOGUS_SECTION/articles/postage-meters-can-save-you-money

    ...which kind of freaks me out?!

    Ironically, my "articles/article.php" script still runs fine, because it is really just keying off of the "Article Slug" to go query the database and find the actual Article. But this still seems like a hole that needs fixing?!

    So, what should I do here?

    My "articles/article.php" script was written before I added the concept of "Sections", and so it doesn't do an Validation/Sanitizing of the "Section" part of the URL.

    I'm not exactly sure the best way to fix this...

    Suggestions??

    Thanks,


    Debbie

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    If you don't actually get the "section" within the script (because mod_rewrite doesn't send it) then there is nothing to do, no hole to fix.

    One only needs to validate, filter, sanitize things that you use from the user input. If you never touch it within your code then you don't need to do anything with it.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    If you don't actually get the "section" within the script (because mod_rewrite doesn't send it) then there is nothing to do, no hole to fix.

    One only needs to validate, filter, sanitize things that you use from the user input. If you never touch it within your code then you don't need to do anything with it.
    I am wondering if the way I am going about all of this is hokey?!

    When a user clicks on some navigation tab (e.g. "Finance"), then my "articles/index.php" script uses a $_GET['section'] to query the database for all Articles in that chosen Section.

    With some Articles in hand, down in the HTML part of that script, I have this code which dynamically generates the URL's for each Article...

    PHP Code:
        <!-- ARTICLE LISTING -->
        <div id="boxArticleIndex">
            <h2><?php echo $sectionName?> Articles</h2>

            <?php
                
    // ******************************************
                // Display Article-Summaries for a Section.    *
                // ******************************************
                
    while (mysqli_stmt_fetch($stmt1)){
                    
    // Format Published On.
                    
    $publishedOn date('F j, Y'strtotime($publishedOn));

                    
    // (e.g. "local.debbie/finance/articles/postage-meters-can-save-you-money")
                    
    $articleURL generateArticleURL($sectionSlug$articleSlug);

                    
    $summary str_replace('{url}'$articleURL$summary);

                    echo 
    "<div class='articleSummary'>
                            <h3>
    $heading</h3>
                            <a href='" 
    $articleURL "'>$image</a>
                            <div class='date'>Published: 
    $publishedOn</div>
                            
    $summary
                        </div>"
    ;
                }
            
    ?>
    So for my "articles/index.php" script, I am using $_GET['section'].

    However, the minute a user clicks on a link like this...

    http://local.debbie/finance/articles/postage-meters-can-save-you-money

    ...my "articles/article.php" script fires, which is an Article Template.

    In my .htaccess, I have this code...

    Code:
    #PRETTY:		articles/postage-meters-can-save-you-money
    #UGLY:			articles/article.php?slug=postage-meters-can-save-you-money
    
    #Rewrite only if the request is not pointing to a real file (e.g. add_comment.php, index.php).
    RewriteCond %{REQUEST_FILENAME} !-f
    
    #Match any kind of slug.  PHP will decide if it's valid or not.
    RewriteRule articles/(.+)$ articles/article.php?slug=$1 [L]
    So I am taking the "dynamic" Article URL, and parsing it up so the "Article Slug" is assigned to "?slug=", but my mod_rewrite does NOT do anything with the "faux Section", and that brings us to the current discussion...

    It seems to me that I need a way to validate the "Section" in the URL when my "articles/article.php" script loads, right?



    Debbie

  4. #4
    SitePoint Guru silver trophy JamesColin's Avatar
    Join Date
    May 2009
    Location
    Jomtien, Pattaya, Thailand
    Posts
    910
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    no you don't need since the only problem would be to put something in the url in order to try to modify/hack what your script is doing with that modified part.
    But since your script doesn't use this part of the url, then no hack is possible, so you're fine.

    But yes, you should sanitize whatever GET parameters you take in your script, so in article.php it would be slug and in index.php it would be section.
    Do you really need traffic? Where to? What for?
    If you really do need traffic then stop messing around!
    Advertise on my sites today: She Told Me & Best Reviewer :
    200,000+ UV / Month


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •