HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Programming/Scripts (http://www.howtoforge.com/forums/forumdisplay.php?f=7)
-   -   how to avoid query string url of php page to be spamed (http://www.howtoforge.com/forums/showthread.php?t=41722)

surinwest 10th December 2009 19:28

how to avoid query string url of php page to be spamed
 
The query string url of my php page could be changed and still viewed as the same page. Why is this happeing? How could it be fixed? Is it something to be done through htaccess file?

Eg of url: http://matter.com/article.php?id=1

If I change url to

http://matter.com/article.php?howdy=1

it still display the same page.

Please help.

falko 11th December 2009 13:59

It's hard to say anything about this - it depends on what is in article.php.

surinwest 11th December 2009 17:17

code attached how to avoid query string url of php page to be spamed
 
I have a page, "article.php" on which I call an include file to display

query results. The include file code follows

<?php
include 'dataconnection.php';
$pagenum = $_GET['pagenum'];

//This checks to see if there is a page number. If not, it will set it to

page 1
if (!(isset($pagenum)))
{
$pagenum = 1;
}

//Here we count the number of results
//Edit $data to be your query
$data = mysql_query("Select * FROM news" );
$rows = mysql_num_rows($data);
if(!$rows){
echo mysql_error();
}

//This is the number of results displayed per page
$page_rows = 15;

//This tells us the page number of our last page
$last = ceil($rows/$page_rows);

//this makes sure the page number isn't below one, or more than

our maximum pages
if ($pagenum < 1)
{
$pagenum = 1;
}
elseif ($pagenum > $last)
{
$pagenum = $last;
}

//This sets the range to display in our query
$max = 'limit ' .($pagenum - 1) * $page_rows .',' .$page_rows;


$data_p = mysql_query("Select id,edid,title,date_format(date,

'%M %D, %Y') as date,SUBSTRING(body,1,150) AS body from

news where body like '%". $_GET["query"] . "%' order by id desc

$max") or die(mysql_error());

echo "<br>","<center>","<b>","News ","</b>","</center>","<br>";
while($info = mysql_fetch_array( $data_p ))
{
$id= $info[id];
$title= $info[title];
$title1 = str_replace (" ","-",($info[title]));
$code_entities_match = array(' ','-

-','&quot;','!','@','#','$','%','^','&','*','(',')' ,'_','+','{','}','|',':','"','<','>','?','[',']',

'\\',';',"'",',','.','/','*','+','~','`','=');
$code_entities_replace = array

('-','-','','','','','','','','','','','','','','','','', '','','','','','','','');
$title2 = str_replace($code_entities_match,

$code_entities_replace, $title);
echo "<br>", "<strong>","<a href='item/$id/

$title2'>".$title."</a>","</strong>";




Print $info[body];
echo "...";
echo "<br>";

}



// This shows the user what page they are on, and the total number

of pages
//echo "<br>"," Page $pagenum of $last <p>";
echo "<table width=200>", "<tr>","<td width=100>";echo "<br>";
// First we check if we are on page one. If we are then we don't

need a link to the previous page or the first page so we do

nothing. If we aren't then we generate links to the first page, and to

the previous page.
if ($pagenum == 1)
{
}
else
{
//echo " <a href='{$_SERVER['PHP_SELF']}?pagenum=1'> <<-

First</a> ";
echo " ";
$previous = $pagenum-1;
echo " <a href='{$_SERVER['PHP_SELF']}?

pagenum=$previous'> <b><-Previous</b></a> ";
echo "</td>";
}

//just a spacer-now changed to td
echo "<td width=100>";
echo "<br>";
//This does the same as above, only checking if we are on the last

page, and then generating the Next and Last links
if ($pagenum == $last)
{
}
else {
$next = $pagenum+1;
echo " <a href='{$_SERVER['PHP_SELF']}?

pagenum=$next'><b> Next -></b></a> ";

//echo " <a href='{$_SERVER['PHP_SELF']}?

pagenum=$last'>Last ->></a> ";
}
echo "</td>", "</tr>", "</table>";
?>
-------------------------------------------------

It display the list of all news from the database limiting 15 to a

page. When I click on the Next page button, what I get on my url is
http://www.example.com/article.php?pagenum=2

At the url, if any changes are made like
http://www.example.com/article.php?id=2 (where id does not exist)
or
http://www.example.com/article/pagenum=2 (a slash instead of

.php?)
the site displays the results exactly like the oringinal page.

Why is this happening? I have a rewrite rule in my htaccess file

for another page for clean urls. All these files including the

htaccess files are in my root folder.

Problem2

I made another search folder with search page but the search

displays in its first page the results properly. When the Next page

link is clicked for page 2, what displays is exactly what is seen in

the http://www.example.com/article.php?pagenum=2.

Any help would greatly appreciated.

falko 12th December 2009 16:56

The script expects something like http://matter.com/article.php?pagenum=1

If $pagenum is not set, it will be set to 1 automatically in the script:

Code:

if (!(isset($pagenum)))
{
$pagenum = 1;
}

So if you use
id=1 or howdy=1, $pagenum will always be set to 1, that's why you see the same content.

surinwest 13th December 2009 22:34

Thankyou falco. I tried to work around the problem but the only way I could come up with is to pass the pagenum and using GET to set the current variable. Is there any other way to do this without passing the pagenum variable through a url?


All times are GMT +2. The time now is 05:03.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.