PHP variables in the URL

cmdr_bond

Hello,

I was wondering how you can go about making it so that if someone types in: http://www.mysite.com/?variable, the index.php knows to redirect you to, say variable.php. I know you can do it by, www.mysite.com/?a=variable, but can I want it to look a bit "cleaner" and no have the a.

Thanks

laserlight

Use $_SERVER['QUERY_STRING']

cmdr_bond

I'm sorry for acting like a newbie here, but I've never used that code before. Would such a script work?

$result = mysql_query("SELECT * FROM products WHERE ProductType='$_SERVER['QUERY_STRING']'",$db);
if (mysql_num_rows($result) > 0)  {
header("location: producttypes.php?type=$_SERVER['QUERY_STRING']");
}

Or do I actually have to specify the "query_string"?

Thanks

bradgrafelman

That code should work fine. Be careful of running queries based directly off of user-input. Very insecure.

If you have an idea, put it into action and see if it works. If it doesn't, then you should post here and give us the error & code.

cmdr_bond

It actually didnt work but I managed to fix it, I'm guessing it was because there were two sets of '' inside one another:

$serverquery = $_SERVER['QUERY_STRING']'; 
$result = mysql_query("SELECT * FROM products WHERE ProductType='$serverquery",$db); 
if (mysql_num_rows($result) > 0)  { 
header("location: producttypes.php?type=$serverquery"); 
}

Why do you say it's insecure... what kind of malicious code can somone run through this?

bradgrafelman

Extra single quote:

$serverquery = $_SERVER['QUERY_STRING']';

should be:

$serverquery = $_SERVER['QUERY_STRING'];

So, try this:

$serverquery = $_SERVER['QUERY_STRING'];
$result = mysql_query("SELECT * FROM products WHERE ProductType='".$serverquery."'",$db); 
if (mysql_num_rows($result) > 0)  {  

header("location: producttypes.php?type=".$serverquery);

And, to answer your question; if you had the magic quotes thing (for lack of a better term at the moment) off, and had no validation, I could delete your entire database, and any others, assuming I knew their name or was good at guessing.

cmdr_bond

What if I made it first convert the page query string with: htmlspecialchars? Would that save my database from hackers?
So it would be:

$serverquery = htmlspecialchars($_SERVER['QUERY_STRING']); 
$result = mysql_query("SELECT * FROM products WHERE ProductType='".$serverquery."'",$db);  

if (mysql_num_rows($result) > 0)  {   

header("location: producttypes.php?type=".$serverquery);

And just wondering, what kind of code would you have to put for it to delete it.. would you say, for example: www.mydomain.com/page.php?'",$db);\n$result2 = mysql_query(DELETE ...

bradgrafelman

If you dont have the magic_quotes_gpc on ( [man]get_magic_quotes_gpc/man ), you should use [man]addslashes/man .

EDIT: Example 1 on the [man]get_magic_quotes_gpc/man manual page shows an excellent way to properly detect the GPC and add slashes accordingly.