Enjoy an ad free experience by logging in. Not a member yet?
Register .
PM User | 1
New Coder
Join Date: Mar 2003
Location: USA
Posts: 99
Thanks: 24
Thanked 0 Times in 0 Posts
Check if this is secure?
PHP Code:
$url = htmlspecialchars ( $_GET [ "url" ]);
$url_exist = mysql_query ( "SELECT * FROM `websites` WHERE `url` = '$url' AND `status` = 1 ORDER BY `id`" ) or die( mysql_error ());
$url )) {
header ( "Location: http://www.mysite.com/" );
$_GET [ "url" ] == $url && mysql_num_rows ( $url_exist ) > 0 ) {
mysql_query ( "UPDATE `websites` SET `out` = `out` + 1 WHERE `url` = '$url'" );
header ( "Location: " . $url );
header ( "Location: http://www.mysite.com/" );
Is this safe or are there flaws? Please help.
PM User | 2
Supreme Master coder!
Join Date: Mar 2007
Location: N/A
Posts: 14,689
Thanks: 158
Thanked 2,184 Times in 2,171 Posts
Quote:
Originally Posted by php.net/htmlspecialchars
The translations performed are:only when ENT_QUOTES is set.
Better to use
mysql_real_escape_string() (after removing the slashes added by magic_quote_gpc, if any)
PS:
PHP Code:
header ( "Location: " . $url );
Don't you need to validate the domain name?
__________________
Quote:
The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)
Users who have thanked abduraooft for this post:
PM User | 3
New Coder
Join Date: Mar 2003
Location: USA
Posts: 99
Thanks: 24
Thanked 0 Times in 0 Posts
Ok changed it up.
PM User | 4
Supreme Master coder!
Join Date: Mar 2007
Location: N/A
Posts: 14,689
Thanks: 158
Thanked 2,184 Times in 2,171 Posts
Quote:
I already did that in my submission form (checks to see if url of site is real and in existence) so I didn't think I would have to do it again.
Before submission? That may not be enough. You'd need to validate all external data from server side, to save your tables from wrong data.
__________________
Quote:
The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)
PM User | 5
New Coder
Join Date: Mar 2003
Location: USA
Posts: 99
Thanks: 24
Thanked 0 Times in 0 Posts
But it will only update the table data if the website is in existence in the database, if not, it won't do anything. So it's pointless for the user to put in a random website in the url param. Right?
PM User | 6
Supreme Master coder!
Join Date: Mar 2007
Location: N/A
Posts: 14,689
Thanks: 158
Thanked 2,184 Times in 2,171 Posts
Quote:
So it's pointless for the user to put in a random website in the url param. Right?
Yes. That's OK. I thought there's an INSERT query
__________________
Quote:
The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)
PM User | 7
God Emperor
Join Date: Sep 2002
Location: Saskatoon, Saskatchewan
Posts: 15,752
Thanks: 4
Thanked 2,468 Times in 2,437 Posts
Although it won't make a difference in this situation (because of you're if/else usage), header redirect should be followed by an exit(). This is because PHP will continue to process regardless of if a browser has been redirected (it has to wait until the end anyway when it receives its results).
__________________
PHP Code:
header ( 'HTTP/1.1 420 Enhance Your Calm' );
Users who have thanked Fou-Lu for this post:
Jump To Top of Thread
Thread Tools
Rate This Thread
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
All times are GMT +1. The time now is 10:17 AM .
Advertisement
Log in to turn off these ads.
Before you post, read our: 
