Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry2014-05-03 11:15:43
PHP
Dmitry, 2014-05-03 11:15:43

Correctly checking the URL entered in the address bar of the browser for security?

When developing one of my next small projects, I asked myself the question of the security of the data received from the user, or rather the URL entered in the address bar of the browser.
In short, the site works according to the MVC pattern: the URL is divided into segments, one of which points to the desired controller, the other to the action, and so on. So, before you start working with the URL, I would like to check it for the correctness of the entered data, and this is not even about validity, but about security, i.e. so that there are no "dangerous" lines in the address.
Has anyone solved such a problem, is there any universal method? Well, let's say, to exclude all sorts of SQL injections, protocol designations, and other "terrible" words from the address.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
C
CloudMonster, 2014-05-03
@CloudMonster

I use this option.
If you have something like this
/index.php?page=album&albumId=21&photoId=3547336
Parse each parameter by $_GET['album'], $_GET['page'], $_GET['photo']
And check for so that there are no other characters in albumId & photoId except Int.
So that the page does not have the symbol '
Or, in order not to parse each parameter, you can do this: instead of $_GET -> $_SERVER["QUERY_STRING"];

Report
S
svd71, 2014-05-03
@svd71

You can do it in the browser, but it's useless. Not all browsers use the same plugins and not all hacks are done through browsers. Moreover, the server is attacked. Means and checks need to be done on the server.
We get an array of entered values ​​in the browser address: $ar = explode('/', $_SERVER['request_uri']);
the resulting array needs to be checked for the correctness of the input, so that the controllers exist, the required data too, and then respond to the processing of this request.
In addition, you also need to check the $_POST array. It can also transmit the data necessary for hacking.

Report
V
Vlad Zhivotnev, 2014-05-04
@inkvizitor68sl

habrahabr.ru/post/145241 - use nginx+NAXSI.

Similar questions
N
nickostyle2014-04-22 13:05:16
Is it possible to repost from social networks to the site? 9Reply
A
Andrew2018-02-22 16:05:39
How to get the original YouTube video link? 1Reply
S
Sandwich212020-04-27 02:43:13
Passing values ​​from checkbox? 2Reply
J
Jony13372015-10-19 20:28:36
Pascal and PHP at the same time? 4Reply
R
Rickern2021-06-25 10:03:49
How to install composer on Astra Linux Orel 2.12.14? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question