SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Hybrid View

  1. #1
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    When the link is correct

    Sometimes when I make websites I have a unique link, where the user is clicking (usually from an e-mail) and they end up at http://www.mypage.com/campaign.php?c...4jkiureeleWSac

    Then I can check the code and see that the user actually did go to the page and save things to my stats.
    But, sometimes I've noticed that users remove the last bit of code and the go to www.mypage.com/campaign.php
    I guess they remove the last part of the URL, since they don't want me to know that they were there or whatever.

    So, now I thought about making something to check that the code is actually there. If there is no code in the url, then they'll be redirected to a page saying that there is no page here. Or that they didn't enter the correct url or something like that.

    I guess people here have a great idea on how to make this or what I should think about when making it.

    If I have a table called tbl_user with fields for username, user_code

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,196
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I would simply check the $GLOBALS to see if such parameters as code exist then perform an action if it doesn't.

    PHP Code:
    if (!isset($_GET['code']) || (isset($_GET['code']) && !preg_match('/^[\w\d]+$/'$_GET['code']))) {
        
    // Do something here...
        
    exit;


  3. #3
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    But, what if the user just puts anything else there? Like changing the code or whatever? Wouldn't it be better to check if the code is in the db in some way?

  4. #4
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,196
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by brad62 View Post
    But, what if the user just puts anything else there? Like changing the code or whatever? Wouldn't it be better to check if the code is in the db in some way?
    That is why I left the "//Do something here" comment there since I don't know what you're using to connect to the database.


    Sent from my iPhone using Tapatalk 2

  5. #5
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    So, your code is checking if there is something at all after the "code"?
    But isn't just the following enough to check that?

    PHP Code:
    if (!isset($_GET['code'])) {
        
    // Do something here...
        
    exit;

    Or what about making a query that is looking for the code in the db.
    If there's no match, then just a header redirect?

    Or am I not getting it?

  6. #6
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    His code reads as:

    If $_GET['code'] is not on the command line, OR $_GET['code'] is set and there is something other than 0-9, a-z, A-Z, or _ in $_GET['code'], you will "do something" (btw, Chris, \d would overlap entirely with \w, so it's redundant to have \d in there)
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  7. #7
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    But isn't it enough to ask the db if the code is in there. Otherwise do something, like showing another page? I don't get it.
    Because, if the code isn't correct, then they are not allowed anyway.

  8. #8
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    That would work, but be careful to sanitize your input before you put it into a query. (which, effectively, is what chris' regex does; it makes sure that the string is just letters and numbers (and underscores).
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  9. #9
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    What is that? What else could someone input to make something else?

  10. #10
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Simple injection?

    if, instead of your code, they put... "'; TRUNCATE codes; SELECT * FROM codes where code = '"...

    and you stick it into your script like:

    $query = "SELECT * FROM codes WHERE code = '".$_GET['code']."'";

    your actual query string becomes...
    SELECT * FROM codes WHERE code = ''; TRUNCATE codes; SELECT * FROM codes where code = ''

    and then your data go boom.

    You never, ever, use variables the user could POSSIBLY TOUCH without sanitizing them, preferably also using prepared statements in your database implementation.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  11. #11
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    So, everytime I have a code like that I need to check it before making a query?
    Is there a simple line I could add to my pages to do this without starting all over?

  12. #12
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Oh, now I found something on that.

    So, maybe I should put a code like this on my pages where I'm asking for input?

    PHP Code:
    $page preg_replace('/[^-a-zA-Z0-9_]/'''$_GET['page']); 
    And then remove whatever is written before the .php

    Like this
    PHP Code:
    $page substr($page20); 
    Then I would get the things that are in the string,but not the first 19 (or whatever I need to have there).

  13. #13
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If I use the sanitize like this:
    PHP Code:
    if (!isset($_GET[’code’]) || (isset($_GET[’code’]) && !preg_match(/^[\w\d]+$/$_GET[’code’]))) {
        
    // If not correct I put a header redirection sending them to an error page.
        
    exit;

    And then have this on the first landing page. Then I thought I could make a session to use for this user to follow them around on the following pages. Then I don't have to do this sanitize thing on following pages. Right?
    Or is there anything else I have to think about here? Im all new to this.

  14. #14
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Or is there anything else I have to think about here?
    What you are doing with this regex here is Filtering Input (part of FIEO - Filter Input Escape Output) - so yes, if you are not aware of FIEO then go and read up on it pronto.

    So, everytime I have a code like that I need to check it before making a query?
    Is there a simple line I could add to my pages to do this without starting all over?
    Prior to building your sql query you should be doing the Escape Output part, by using PDO or Mysqli and their prepared statements to protect your db from the SQL injection attack described previously.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •