Get the FULL url in php [including "id=1" part..]

unknowngiver · 01-21-2007, 07:11 PM

Hey
Is it possible to get the FULL url that the user is on?
I made this login script..and redirects u back to the page u were on before..but it doesnt get the last part of the urll..for example if the user is on this page when they login:
http://localhost/index.php?action=viewmedia&id=1
after using :
$_SERVER['PHP_SELF'] they are redirected to index.php
how do i make it so it gets the Last part 2
Thanks

Dan · 01-21-2007, 07:14 PM

PHP Code:

  $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; 

????: NamePros.com http://www.namepros.com/programming/284458-get-full-url-php-including-id.html

That would be like /index.php?action=viewmedia&id=1

beaver6813 · 01-22-2007, 12:33 AM

Out of interest, why is it better to do it that way rather than just using $_SERVER['REQUEST_URI']?

Dan · 01-22-2007, 04:29 AM

That's just what I could think of. >_____>

stscac · 01-22-2007, 09:55 AM

Originally Posted by Dan

PHP Code:

  $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; 

????: NamePros.com http://www.namepros.com/showthread.php?t=284458

That would be like /index.php?action=viewmedia&id=1

Definitely not the safest approach if you're querying a database with the $_GET contents.

Either clean it or use the switch() function

-Steve

RegisterRants · 01-22-2007, 10:02 AM

Not safe at all...especially if the $_GET[] array is evaluated

Code:

http://www.yourscript.com/?%24_SERVER%5B'QUERY_STRING'%5D+%3D+'%2Frestricted%2Fpath'%3B

That would move the user to /restricted/path, where you obviously don't want him to go, if it is evaluated.

Dan · 01-22-2007, 01:57 PM

No one said anything about making it safe.. Of course he should use something to clean it before using it in a MySQL query..

RegisterRants · 01-22-2007, 02:02 PM

What I posted above doesn't even need to be used in a mysql query to be effective.

Any statement that runs the 'eval();' command with $_SERVER['QUERY_STRING'] mentioned anywhere therein will fall victim to this.

Dan · 01-22-2007, 02:18 PM

Originally Posted by JRBHosting

will fall victim to this.

Fall victim to what?.. All it does is say /restricted/path. Why would anyone eval() that variable and have it set up so that setting it to that would do something?..

Matthew. · 01-22-2007, 02:19 PM

Originally Posted by JRBHosting

What I posted above doesn't even need to be used in a mysql query to be effective.

Any statement that runs the 'eval();' command with $_SERVER['QUERY_STRING'] mentioned anywhere therein will fall victim to this.

That is if there is anyone out there silly enough to use eval on on anything that hasn't been checked, validated, and double checked a few times especially a superglobal of all things.

That is far beside the point anyway,

Personally, topic solved? Yes?

unknowngiver · 01-22-2007, 02:23 PM

hm i cleaned it up using htmlspecialchars()
is it safe enough?
the only reason i m using this is because i have a login form on the right panel..so when some1 logs in..on any page..i want them to be redirected to the same page..and if they are in a page that has "id=1" or w.e...it doesnt redirect them to that ..if i just use $_SERVER['PHP_SELF']
i m using the way dan told me about..is that okay or should i switch to what beaver mentioned?

Dan · 01-22-2007, 02:25 PM

What beaver said could be "hacked" exactly the same way mine could.

Matthew. · 01-22-2007, 02:25 PM

Originally Posted by unknowngiver

hm i cleaned it up using htmlspecialchars()
????: NamePros.com http://www.namepros.com/showthread.php?t=284458
is it safe enough?
the only reason i m using this is because i have a login form on the right panel..so when some1 logs in..on any page..i want them to be redirected to the same page..and if they are in a page that has "id=1" or w.e...it doesnt redirect them to that ..if i just use $_SERVER['PHP_SELF']
i m using the way dan told me about..is that okay or should i switch to what beaver mentioned?

Bottom line: Are you storing this string in a database? if no, it does not need to be secured. If so, stripslashes -> addslashes or another escaping function.

Both Dan and Beaver's suggestions are exact, only Dan was using the two pre defined variables for page name and query string where as Beaver's in pre-combined to give both.

RegisterRants · 01-22-2007, 02:32 PM

I would personally do this:

Code:

header("Location: http://www.yoursite.com/yourscript.php?id=".htmlspecialchars(escape($_GET[id])));

Matthew. · 01-22-2007, 02:33 PM

Originally Posted by JRBHosting

I would personally do this:
????: NamePros.com http://www.namepros.com/showthread.php?t=284458

Code:

header("Location: http://www.yoursite.com/yourscript.php?id=".htmlspecialchars(escape($_GET[id])));

Because multiple query string variables don't exist now?

Also why use htmlspecialchars here, and escape is not a function...

RegisterRants · 01-22-2007, 02:42 PM

Ah...I wrote the escape function for use in one of my programs...that's why its there

In this EXAMPLE I would do that

I havent done this in a while...maybe substitute htmlspecialchars for addslashes.

unknowngiver · 01-22-2007, 03:04 PM

if i use htmlspecialchars and addslashes..would it be secure then?

beaver6813 · 01-23-2007, 12:29 AM

There are functions specially designed in PHP, if you're using MySQL, i use a couple on my scripts like:

PHP Code:

  function quote_smart($value,$skip=0)

{

   if (get_magic_quotes_gpc()) {

       $value = stripslashes($value);

   }

   if (!is_numeric($value)) {

   if($skip==0){

       $value = "'" . mysql_real_escape_string($value) . "'";

       } else {

       $value = mysql_real_escape_string($value);

????: NamePros.com http://www.namepros.com/showthread.php?t=284458
       }

   }

   return $value;

}

You can use lots of things to make strings safe, you could replace certain characters, use addslashes, stripslashes, htmlspecialcharacters, strip_tags... theres loads of stuff!

P.S (If you find anything wrong with the snippet of code above, lemme know so i can fix in my latest script

01-21-2007, 07:11 PM	THREAD STARTER #1 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	Get the FULL url in php [including "id=1" part..] Hey Is it possible to get the FULL url that the user is on? I made this login script..and redirects u back to the page u were on before..but it doesnt get the last part of the urll..for example if the user is on this page when they login: http://localhost/index.php?action=viewmedia&id=1 after using : $_SERVER['PHP_SELF'] they are redirected to index.php how do i make it so it gets the Last part 2 Thanks __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

01-21-2007, 07:14 PM	#2 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,796	PHP Code: `$_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; ????: NamePros.com http://www.namepros.com/programming/284458-get-full-url-php-including-id.html` That would be like /index.php?action=viewmedia&id=1

01-22-2007, 12:33 AM	#3 (permalink)
beaver6813 NamePros Regular Join Date: May 2005 Location: England Posts: 392 Follow @beaver6813	Out of interest, why is it better to do it that way rather than just using $_SERVER['REQUEST_URI']? __________________ -Beaver6813.com - Web Developer Extraordinaire!

01-22-2007, 10:02 AM	#6 (permalink)
RegisterRants Senior Member Join Date: Oct 2006 Location: NJ Posts: 1,152 Follow @jrberlinsky	Not safe at all...especially if the $_GET[] array is evaluated Code: http://www.yourscript.com/?%24_SERVER%5B'QUERY_STRING'%5D+%3D+'%2Frestricted%2Fpath'%3B That would move the user to /restricted/path, where you obviously don't want him to go, if it is evaluated. __________________ Web Development

01-22-2007, 02:02 PM	#8 (permalink)
RegisterRants Senior Member Join Date: Oct 2006 Location: NJ Posts: 1,152 Follow @jrberlinsky	What I posted above doesn't even need to be used in a mysql query to be effective. Any statement that runs the 'eval();' command with $_SERVER['QUERY_STRING'] mentioned anywhere therein will fall victim to this. __________________ Web Development

01-22-2007, 04:29 AM	#4 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,796	That's just what I could think of. >_____>

01-22-2007, 01:57 PM	#7 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,796	No one said anything about making it safe.. Of course he should use something to clean it before using it in a MySQL query..

01-22-2007, 02:23 PM	THREAD STARTER #11 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	hm i cleaned it up using htmlspecialchars() is it safe enough? the only reason i m using this is because i have a login form on the right panel..so when some1 logs in..on any page..i want them to be redirected to the same page..and if they are in a page that has "id=1" or w.e...it doesnt redirect them to that ..if i just use $_SERVER['PHP_SELF'] i m using the way dan told me about..is that okay or should i switch to what beaver mentioned? __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

01-22-2007, 02:25 PM	#12 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,796	What beaver said could be "hacked" exactly the same way mine could.

01-22-2007, 02:32 PM	#14 (permalink)
RegisterRants Senior Member Join Date: Oct 2006 Location: NJ Posts: 1,152 Follow @jrberlinsky	I would personally do this: Code: header("Location: http://www.yoursite.com/yourscript.php?id=".htmlspecialchars(escape($_GET[id]))); __________________ Web Development

01-22-2007, 02:42 PM	#16 (permalink)
RegisterRants Senior Member Join Date: Oct 2006 Location: NJ Posts: 1,152 Follow @jrberlinsky	Ah...I wrote the escape function for use in one of my programs...that's why its there In this EXAMPLE I would do that I havent done this in a while...maybe substitute htmlspecialchars for addslashes. __________________ Web Development

01-22-2007, 03:04 PM	THREAD STARTER #17 (permalink)
unknowngiver Senior Member Join Date: May 2005 Location: Ontario Canada Posts: 3,088	if i use htmlspecialchars and addslashes..would it be secure then? __________________ Simplifying Engineering \|\| $$ Currency Converter $$ Julsh - Community/Dating Website \|\| Free Image hosting Fresh Proxies \|\| Random Proxy \|\| Troll Board

01-23-2007, 12:29 AM	#18 (permalink)
beaver6813 NamePros Regular Join Date: May 2005 Location: England Posts: 392 Follow @beaver6813	There are functions specially designed in PHP, if you're using MySQL, i use a couple on my scripts like: PHP Code: `function quote_smart($value,$skip=0) { if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { if($skip==0){ $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = mysql_real_escape_string($value); ????: NamePros.com http://www.namepros.com/showthread.php?t=284458 } } return $value; }` You can use lots of things to make strings safe, you could replace certain characters, use addslashes, stripslashes, htmlspecialcharacters, strip_tags... theres loads of stuff! P.S (If you find anything wrong with the snippet of code above, lemme know so i can fix in my latest script __________________ -Beaver6813.com - Web Developer Extraordinaire!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)