Then I can check the code and see that the user actually did go to the page and save things to my stats.
But, sometimes I’ve noticed that users remove the last bit of code and the go to www.mypage.com/campaign.php
I guess they remove the last part of the URL, since they don’t want me to know that they were there or whatever.
So, now I thought about making something to check that the code is actually there. If there is no code in the url, then they’ll be redirected to a page saying that there is no page here. Or that they didn’t enter the correct url or something like that.
I guess people here have a great idea on how to make this or what I should think about when making it.
If I have a table called tbl_user with fields for username, user_code
But, what if the user just puts anything else there? Like changing the code or whatever? Wouldn’t it be better to check if the code is in the db in some way?
If $_GET[‘code’] is not on the command line, OR $_GET[‘code’] is set and there is something other than 0-9, a-z, A-Z, or _ in $_GET[‘code’], you will “do something” (btw, Chris, \d would overlap entirely with \w, so it’s redundant to have \d in there)
But isn’t it enough to ask the db if the code is in there. Otherwise do something, like showing another page? I don’t get it.
Because, if the code isn’t correct, then they are not allowed anyway.
That would work, but be careful to sanitize your input before you put it into a query. (which, effectively, is what chris’ regex does; it makes sure that the string is just letters and numbers (and underscores).
if, instead of your code, they put… “'; TRUNCATE codes; SELECT * FROM codes where code = '”…
and you stick it into your script like:
$query = “SELECT * FROM codes WHERE code = '”.$_GET[‘code’].“'”;
your actual query string becomes…
SELECT * FROM codes WHERE code = ‘’; TRUNCATE codes; SELECT * FROM codes where code = ‘’
and then your data go boom.
You never, ever, use variables the user could POSSIBLY TOUCH without sanitizing them, preferably also using prepared statements in your database implementation.
So, everytime I have a code like that I need to check it before making a query?
Is there a simple line I could add to my pages to do this without starting all over?
if (!isset($_GET[’code’]) || (isset($_GET[’code’]) && !preg_match(’/^[\\w\\d]+$/’, $_GET[’code’]))) {
// If not correct I put a header redirection sending them to an error page.
exit;
}
And then have this on the first landing page. Then I thought I could make a session to use for this user to follow them around on the following pages. Then I don’t have to do this sanitize thing on following pages. Right?
Or is there anything else I have to think about here? Im all new to this.
Or is there anything else I have to think about here?
What you are doing with this regex here is Filtering Input (part of FIEO - Filter Input Escape Output) - so yes, if you are not aware of FIEO then go and read up on it pronto.
So, everytime I have a code like that I need to check it before making a query?
Is there a simple line I could add to my pages to do this without starting all over?
Prior to building your sql query you should be doing the Escape Output part, by using PDO or Mysqli and their prepared statements to protect your db from the SQL injection attack described previously.