Converting to Static URL - Security and advice please

Hello, just a few small questions regarding an already-existing site.

For SEO purposes and basic aesthetics (I can see the benefit of doing it the long way) I was looking at converting the current URL we use:

sitename.com/news?newsid=1

To:

sitename.com/news/news-title-goes-here

My first issue is the security implications of accessing the database with a passed variable. Using an int I could declare that the variable MUST be an int, it’s a bit harder with a string. This is my current code.

function displayNews2() {

	if (isset($_GET['newsid'])) {
		$pageID = str_replace(array('-'),' ',$_GET['newsid']);
		echo $pageID;

		$result = mysql_query("SELECT * FROM news WHERE news_title='$pageID' ORDER by news_created DESC") or die(mysql_error);
		$row = mysql_fetch_array($result);
				$newsID = stripslashes($row['news_id']);
				$newsTitle = stripslashes($row['news_title']);
				$newsDate = stripslashes(date('M d, Y', $row['news_created']));
				$newsAuthor = getAuthor(stripslashes($row['author_id']));
				
				//$newsContent = str_replace(array('\\r', '\\r\
', '\
'),'<br />',$row['news_content']);
				$newsContent = nl2br(stripslashes($row['news_content'])); 
				
		echo "<div id='newsBlog'>
				<h4>$newsTitle </h4>
					<div class='blogContent'>
						<p>$newsContent</p>
					
						<span>Posted $newsDate by $newsAuthor<br/>
								<a href='compensation-news.php'>Read More Claim News</a></span>
					</div>
					</div>";
		
	}
}

I have changed this ti accept a string and it works, entering anything else at the minute just has it return an error (I’ll add an else later).

Is that good enough to secure against malicious code because it seems dangerous to me personally. Should I be passing the variable into $pageID and then running stripslashes et al. on it because my concern there is making the string ineligible for then recovering it from the database.

I don’t think there is another way to include the title in the URL short of including the title in the URL.

My second issue is thus. I put my current dynamic URL into a code generator which would generate the htaccess code I need in order to change the appearance of these particular URL’s. This is what I put in:

sitename.co.uk/test.php?newsid=Grabbed-Cyclist-Wins-£12,000-In-Compensation

This is what I get back:

sitename.co.uk/test/newsid/(Any Value)/

Ignoring the ‘test’ part which would probably be news or compensation-news in practice, the ‘newsid’ part seems ugly and other sites I’ve observed don’t seem to have this extra /variable as part of their URL structure.

Am I missing something here? I can change the variable name but if possible I’d really prefer the URL to just be “sitename.co.uk/news/news-title/”

It’s a bit of a nuisance but I think it will look better and work better for the effort put in but I defer to the experts in this area.

Sorry if this was a little long to read but thanks for reading if you got this far.
DWB

Yes, that code is not very secure, search for “sql injection” and you will get a lot of explanation. Basically, you should escape any string values with mysql_real_escape_string() before inserting them in a query.

I see you still have magic_quotes enabled on your server because you use stripslashes everywhere. If your server allows you to turn them off I strongly advise to do so - it’s the old ‘feature’ that is deprecated now and will be removed in future php versions. To sum up:

1. With magic_quotes=on: first use stripslashes on $_GET[‘newsid’] and then mysql_real_escape_string.

2. With magic_quotes=off: use mysql_real_escape_string.

Ignoring the ‘test’ part which would probably be news or compensation-news in practice, the ‘newsid’ part seems ugly and other sites I’ve observed don’t seem to have this extra /variable as part of their URL structure.

Am I missing something here? I can change the variable name but if possible I’d really prefer the URL to just be “sitename.co.uk/news/news-title/”

I don’t think a numeric ID in the url hurts that much and I wouldn’t expect any measurable SEO ranking differences based on that. Sure, it looks better without it but then in your application you need to provide some logic preventing duplicate titles in URLs, so having the ID it’s easier to manage. Just decide based on your estheatic and practical needs. I believe it’s better to have IDs than /very-long-titles-of-articles-that-many-modern-web-sites-embed-in-their-page-urls-that-scroll-several-screens-horizontally-in-the-browsers-location-bar-and-then-i-think-they-must-be-really-naive-to-believe-they-have-a-super-google-friendly-url-that-will-drive-traffic-to-them-like-nothing-else…

Well I was going off this:

The study involved taking hundreds of highly competitive keyword queries, like travel, cars, and computer software, and comparing factors involving the top ten results. The statistics show that of those top ten, Google has 40-50% of those with the keyword either in the URL or the domain; Yahoo shows 60%; and MSN has an astonishing 85%! What that means is that to these search engines, having your keywords in your URL or domain name could mean the difference between a top ten ranking, and a ranking far down in the results pages.

Which I can understand from a keyword perspective.

I think my magic_quotes is off, i assume it is because I tried using that certain code which can let you bypass a login and it failed, perhaps I have been misusing stripslashes. Most of this code was used to create a custom CMS following a tutorial, nothing fancy, just something that made word-processing simple.

I take your point on the ridiculous-length-page-titles though.

I’m not saying this is not true, all I’m saying is that having a numeric ID added somewhere won’t hurt the results much. Of course, if you have no reason to keep the ID it’s better to get rid of it.

I think my magic_quotes is off, i assume it is because I tried using that certain code which can let you bypass a login and it failed, perhaps I have been misusing stripslashes.

Better to really make sure if magic_quotes is off: run phpinfo() and read the value. If it’s off, then get rid of all the stripslashes.