address bar issue 1

[ruler1]

hmm im not sure how to solve this problem so i thought someone here might have an easy solution. the problem is if someone was to view a page on my site such as mydomain/mypage.php?mode=edit&id=4 it all works great but if someone adds another character right after the last number something like ?mode=edit&id=4' or ?mode=edit&id=4blabla it messes up the page and will bring up the wrong page most of the time

this is the code i have been working with to 'try' and prevent it but i cant figure out how to remove excess characters from being added/eccepted.
any help would be great. thanks

if ( isset($HTTP_GET_VARS[id]))
{
$hubnum = intval($HTTP_GET_VARS[id]);
}
if ( isset($HTTP_GET_VARS[mode]) && $HTTP_GET_VARS[mode] == 'edit')
{
$emode = $HTTP_GET_VARS['mode'];
}

if (!$emode || !$hubnum)
{
message_die(GENERAL_MESSAGE, 'Item_Not_listed');
}

 

[lgarner]

Maybe some Javascript would do it. As far as PHP goes, just add some more validation.

One way would be to use is_integer() to reject non-numeric values.

 

[ruler1]

i prefer not to use any java for this, i am trying desperatly to keep it all php. i know i can use something like preg_match or something like that but i was hoping there might be a way to just chop off anything after a number? for instance if the ID entered was 4t45 it would chop off the t45 and just leave the first 4
i have googled and searched a lot of sites but im not even sure what to look for or what keywords to use when searching. its an unusual problem

 

[vacunita]

Is the number always going to be a one digit number?
If so: you could just get the first character of the value and use that.

You can't actually prevent people from writing into the address bar, and yes adding extra characters will happen.

What you do is validate the information being passed. If its not numeric or it does not match up with anything you are ready to display, you ignore it and send back an error message.

But you don't usually code to guess at what the user may have meant. If its not as expected, then you send an error message.







----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[ruler1]

the ID (last number) isnt wont always be a single didgit number, it can be anything from 1 - 35565 but it will always be numbers only never any letters or odd characters. ive seen some sites where ive tested this and if i add an odd character like ' at the end it will simply remove it and use the numbers only. this has been a headache for the last few days now and i am no where closer to solving it than the day i started. i was also concerned about SQL Injection attempts so i thought it best to have it fixed before making it public

 

[vacunita]

In that case, something like this will remove anythng that is not numeric from the value:

[green]\\Get value for url querystring[/green]
$pid=$_GET['id'];
[green]\\get length of variable[/green]
$c=strlen($pid);
[green]\\initialize other needed variables[/green]
$i=0;
$value="";
[green]\\Loop through variable to get all the numeric parts[/green]
while($i<$c){
if(is_numeric($pid[$i])){
$value.=$pid[$i];
}
$i++;
}

echo $value;

id=23da45 $value=2345
id=1242' $value=1242
id=aabs1cp $value=1

It will strip out anything that is not a number.





----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[ruler1]

you are a star, that worked perfectly if only i asked sooner i could have saved so much time.
many thanks for your help i am so greatful. not sure if i can mark my posts as solved. thank you once again, brilliant

 

[vacunita]

Glad I could help.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.