Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Programming/Scripts

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th December 2009, 18:28
surinwest surinwest is offline
Junior Member
 
Join Date: Dec 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default how to avoid query string url of php page to be spamed

The query string url of my php page could be changed and still viewed as the same page. Why is this happeing? How could it be fixed? Is it something to be done through htaccess file?

Eg of url: http://matter.com/article.php?id=1

If I change url to

http://matter.com/article.php?howdy=1

it still display the same page.

Please help.
Reply With Quote
Sponsored Links
  #2  
Old 11th December 2009, 12:59
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

It's hard to say anything about this - it depends on what is in article.php.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 11th December 2009, 16:17
surinwest surinwest is offline
Junior Member
 
Join Date: Dec 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default code attached how to avoid query string url of php page to be spamed

I have a page, "article.php" on which I call an include file to display

query results. The include file code follows

<?php
include 'dataconnection.php';
$pagenum = $_GET['pagenum'];

//This checks to see if there is a page number. If not, it will set it to

page 1
if (!(isset($pagenum)))
{
$pagenum = 1;
}

//Here we count the number of results
//Edit $data to be your query
$data = mysql_query("Select * FROM news" );
$rows = mysql_num_rows($data);
if(!$rows){
echo mysql_error();
}

//This is the number of results displayed per page
$page_rows = 15;

//This tells us the page number of our last page
$last = ceil($rows/$page_rows);

//this makes sure the page number isn't below one, or more than

our maximum pages
if ($pagenum < 1)
{
$pagenum = 1;
}
elseif ($pagenum > $last)
{
$pagenum = $last;
}

//This sets the range to display in our query
$max = 'limit ' .($pagenum - 1) * $page_rows .',' .$page_rows;


$data_p = mysql_query("Select id,edid,title,date_format(date,

'%M %D, %Y') as date,SUBSTRING(body,1,150) AS body from

news where body like '%". $_GET["query"] . "%' order by id desc

$max") or die(mysql_error());

echo "<br>","<center>","<b>","News ","</b>","</center>","<br>";
while($info = mysql_fetch_array( $data_p ))
{
$id= $info[id];
$title= $info[title];
$title1 = str_replace (" ","-",($info[title]));
$code_entities_match = array(' ','-

-','&quot;','!','@','#','$','%','^','&','*','(',')' ,'_','+','{','}','|',':','"','<','>','?','[',']',

'\\',';',"'",',','.','/','*','+','~','`','=');
$code_entities_replace = array

('-','-','','','','','','','','','','','','','','','','', '','','','','','','','');
$title2 = str_replace($code_entities_match,

$code_entities_replace, $title);
echo "<br>", "<strong>","<a href='item/$id/

$title2'>".$title."</a>","</strong>";




Print $info[body];
echo "...";
echo "<br>";

}



// This shows the user what page they are on, and the total number

of pages
//echo "<br>"," Page $pagenum of $last <p>";
echo "<table width=200>", "<tr>","<td width=100>";echo "<br>";
// First we check if we are on page one. If we are then we don't

need a link to the previous page or the first page so we do

nothing. If we aren't then we generate links to the first page, and to

the previous page.
if ($pagenum == 1)
{
}
else
{
//echo " <a href='{$_SERVER['PHP_SELF']}?pagenum=1'> <<-

First</a> ";
echo " ";
$previous = $pagenum-1;
echo " <a href='{$_SERVER['PHP_SELF']}?

pagenum=$previous'> <b><-Previous</b></a> ";
echo "</td>";
}

//just a spacer-now changed to td
echo "<td width=100>";
echo "<br>";
//This does the same as above, only checking if we are on the last

page, and then generating the Next and Last links
if ($pagenum == $last)
{
}
else {
$next = $pagenum+1;
echo " <a href='{$_SERVER['PHP_SELF']}?

pagenum=$next'><b> Next -></b></a> ";

//echo " <a href='{$_SERVER['PHP_SELF']}?

pagenum=$last'>Last ->></a> ";
}
echo "</td>", "</tr>", "</table>";
?>
-------------------------------------------------

It display the list of all news from the database limiting 15 to a

page. When I click on the Next page button, what I get on my url is
http://www.example.com/article.php?pagenum=2

At the url, if any changes are made like
http://www.example.com/article.php?id=2 (where id does not exist)
or
http://www.example.com/article/pagenum=2 (a slash instead of

.php?)
the site displays the results exactly like the oringinal page.

Why is this happening? I have a rewrite rule in my htaccess file

for another page for clean urls. All these files including the

htaccess files are in my root folder.

Problem2

I made another search folder with search page but the search

displays in its first page the results properly. When the Next page

link is clicked for page 2, what displays is exactly what is seen in

the http://www.example.com/article.php?pagenum=2.

Any help would greatly appreciated.
Reply With Quote
  #4  
Old 12th December 2009, 15:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

The script expects something like http://matter.com/article.php?pagenum=1

If $pagenum is not set, it will be set to 1 automatically in the script:

Code:
if (!(isset($pagenum)))
{
$pagenum = 1;
}
So if you use
id=1 or howdy=1, $pagenum will always be set to 1, that's why you see the same content.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 13th December 2009, 21:34
surinwest surinwest is offline
Junior Member
 
Join Date: Dec 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Thankyou falco. I tried to work around the problem but the only way I could come up with is to pass the pagenum and using GET to set the current variable. Is there any other way to do this without passing the pagenum variable through a url?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ffmpeg Video support for ubuntu 7.10 [suphp-ispconfig] amaurib Installation/Configuration 13 16th February 2010 17:26
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 08:20
ISP Config hesitation when opening web pages frankb Installation/Configuration 7 15th December 2008 13:06
ispconfig php 5 errors itamarjp Installation/Configuration 8 25th April 2008 10:20
Apache2 Freezes celtic Server Operation 31 28th May 2007 17:18


All times are GMT +2. The time now is 16:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.