Get the FULL url in php [including "id=1" part..]

unknowngiver · Jan 22, 2007

Hey
Is it possible to get the FULL url that the user is on?
I made this login script..and redirects u back to the page u were on before..but it doesnt get the last part of the urll..for example if the user is on this page when they login:
http://localhost/index.php?action=viewmedia&id=1
after using :
$_SERVER['PHP_SELF'] they are redirected to index.php
how do i make it so it gets the Last part 2
Thanks

Dan · Jan 22, 2007

PHP:

$_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];

That would be like /index.php?action=viewmedia&id=1

beaver6813 · Jan 22, 2007

Out of interest, why is it better to do it that way rather than just using $_SERVER['REQUEST_URI']?

Dan · Jan 22, 2007

That's just what I could think of. >_____>

stscac · Jan 22, 2007

Dan said:
PHP:

$_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];

That would be like /index.php?action=viewmedia&id=1

Definitely not the safest approach if you're querying a database with the $_GET contents.

Either clean it or use the switch() function

-Steve

RegisterRants · Jan 22, 2007

Not safe at all...especially if the $_GET[] array is evaluated

Code:

http://www.yourscript.com/?%24_SERVER%5B'QUERY_STRING'%5D+%3D+'%2Frestricted%2Fpath'%3B

That would move the user to /restricted/path, where you obviously don't want him to go, if it is evaluated.

Dan · Jan 22, 2007

No one said anything about making it safe.. Of course he should use something to clean it before using it in a MySQL query..

RegisterRants · Jan 22, 2007

What I posted above doesn't even need to be used in a mysql query to be effective.

Any statement that runs the 'eval();' command with $_SERVER['QUERY_STRING'] mentioned anywhere therein will fall victim to this.

Dan · Jan 22, 2007

JRBHosting said:
will fall victim to this.

Fall victim to what?.. All it does is say /restricted/path. Why would anyone eval() that variable and have it set up so that setting it to that would do something?..

Matthew. · Jan 22, 2007

JRBHosting said:
What I posted above doesn't even need to be used in a mysql query to be effective.

Any statement that runs the 'eval();' command with $_SERVER['QUERY_STRING'] mentioned anywhere therein will fall victim to this.

That is if there is anyone out there silly enough to use eval on on anything that hasn't been checked, validated, and double checked a few times especially a superglobal of all things.

That is far beside the point anyway,

Personally, topic solved? Yes?

unknowngiver · Jan 22, 2007

hm i cleaned it up using htmlspecialchars()
is it safe enough?
the only reason i m using this is because i have a login form on the right panel..so when some1 logs in..on any page..i want them to be redirected to the same page..and if they are in a page that has "id=1" or w.e...it doesnt redirect them to that ..if i just use $_SERVER['PHP_SELF']
i m using the way dan told me about..is that okay or should i switch to what beaver mentioned?

Dan · Jan 22, 2007

What beaver said could be "hacked" exactly the same way mine could.

Matthew. · Jan 22, 2007

unknowngiver said:
hm i cleaned it up using htmlspecialchars()
is it safe enough?
the only reason i m using this is because i have a login form on the right panel..so when some1 logs in..on any page..i want them to be redirected to the same page..and if they are in a page that has "id=1" or w.e...it doesnt redirect them to that ..if i just use $_SERVER['PHP_SELF']
i m using the way dan told me about..is that okay or should i switch to what beaver mentioned?

Bottom line: Are you storing this string in a database? if no, it does not need to be secured. If so, stripslashes -> addslashes or another escaping function.

Both Dan and Beaver's suggestions are exact, only Dan was using the two pre defined variables for page name and query string where as Beaver's in pre-combined to give both.

RegisterRants · Jan 22, 2007

I would personally do this:

Code:

header("Location: http://www.yoursite.com/yourscript.php?id=".htmlspecialchars(escape($_GET[id])));

Matthew. · Jan 22, 2007

JRBHosting said:
I would personally do this:

Code:

header("Location: http://www.yoursite.com/yourscript.php?id=".htmlspecialchars(escape($_GET[id])));

Because multiple query string variables don't exist now? :hehe:

Also why use htmlspecialchars here, and escape is not a function...

RegisterRants · Jan 22, 2007

Ah...I wrote the escape function for use in one of my programs...that's why its there

In this EXAMPLE I would do that

I havent done this in a while...maybe substitute htmlspecialchars for addslashes.

unknowngiver · Jan 22, 2007

if i use htmlspecialchars and addslashes..would it be secure then?

beaver6813 · Jan 23, 2007

There are functions specially designed in PHP, if you're using MySQL, i use a couple on my scripts like:

PHP:

function quote_smart($value,$skip=0)
{
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   if (!is_numeric($value)) {
   if($skip==0){
       $value = "'" . mysql_real_escape_string($value) . "'";
	   } else {
	   $value = mysql_real_escape_string($value);
	   }
   }
   return $value;
}

You can use lots of things to make strings safe, you could replace certain characters, use addslashes, stripslashes, htmlspecialcharacters, strip_tags... theres loads of stuff!

P.S (If you find anything wrong with the snippet of code above, lemme know so i can fix in my latest script

Get the FULL url in php [including "id=1" part..]

VIP Member

Buy my domains.VIP Member

Established Member

Buy my domains.VIP Member

A Wealth of KnowledgeVIP Member

Established Member

Buy my domains.VIP Member

Established Member

Buy my domains.VIP Member

VIP Member

VIP Member

Buy my domains.VIP Member

VIP Member

Established Member

VIP Member

Established Member

VIP Member

Established Member

305.VC

SoYe.xyz

TDMD.com

VoneWallet.com

CorporateUnion.com

MassageTherapyCourses.com

SavannahDayCare.com

aiwebxr.com

HorizonCash.com

eDinar.net

Similar threads

We're social

305.VC

SoYe.xyz

TDMD.com

VoneWallet.com

CorporateUnion.com

MassageTherapyCourses.com

SavannahDayCare.com

aiwebxr.com

HorizonCash.com

eDinar.net

Pinned

Appreciation

Agreement

Answers

Relevance

Reaction

Status

Feeling