LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
 
Search this Thread
Old 04-18-2006, 12:11 AM   #1
Manashi
LQ Newbie
 
Registered: Jan 2006
Posts: 27

Rep: Reputation: 15
Question $_SERVER['QUERY_STRING']-php


hi
my doubt is when we should use $_SERVER['QUERY_STRING'] and
how it actually works...
the code is...

Quote:
<?php
$tmp = $_SERVER['QUERY_STRING'];
$tmp = explode("=",$tmp);
$id = $tmp[1];

if(!$id)

{
echo "<p>No id passed";
include("footer.html");
return;
}
?>

<h3>Question Paper Splitup</h3>
<h4>The exam has been successfully created! Your Exam id is
<?php echo "$id"; ?>.</h4>
waithin for the reply...
 
Old 04-18-2006, 08:03 AM   #2
graemef
Senior Member
 
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,379

Rep: Reputation: 148Reputation: 148
My recommendation would be not to use it. It would be better to access the value via the $_Get, that way your program will actually look at the name of the query variable.

You may also want to consider using post and thus the id will not be displayed in the URL, but that depends on the requirements of your system.
 
Old 04-18-2006, 10:44 AM   #3
cdhgee
Member
 
Registered: Oct 2003
Location: St Paul, MN
Distribution: Fedora 8, Fedora 9
Posts: 513

Rep: Reputation: 30
You may also want to consider using $_REQUEST instead of $_GET as suggested - $_REQUEST incorporates the contents of both $_GET and $_POST and so would allow you to switch easily between using GET and POST later without having to recode your page.
 
Old 04-18-2006, 02:32 PM   #4
95se
Member
 
Registered: Apr 2002
Location: Windsor, ON, CA
Distribution: Ubuntu
Posts: 740

Rep: Reputation: 32
Here is a use for QUERY_STRING,
You have a .htaccess file like this,
Code:
<Files some_script>
    ForceType application/x-httpd-php
</Files>
some_script is a php script (w/ the filename some_script).
Now, if you do this,
www.yourdomain.com/some_path/some_script/a/b/c
Then /a/b/c will be passed to some_script. Of course this won't show up in $_GET though, so you use something like, explode($_SERVER['QUERY_STRING'], '/') to get access to 'a', 'b', and 'c'. You can do cool stuff w/ this then, like suppose you had a store that sold kitchen ware, and one of your categories of products was Tea cozies, then you could have the url, www.somedomain.com/store/products/tea_cozies to load up the tea_cozies. On the server though, you would have just one script, called products, that would read whatever was passed as a "directory" (tea_cozies in this case), then use that as the category to display products.
 
Old 04-18-2006, 10:57 PM   #5
cupubboy
Member
 
Registered: May 2003
Location: Bucharest,Romania
Distribution: Fedora Core 7
Posts: 109

Rep: Reputation: 15
Quote:
Originally Posted by cdhgee
You may also want to consider using $_REQUEST instead of $_GET as suggested - $_REQUEST incorporates the contents of both $_GET and $_POST and so would allow you to switch easily between using GET and POST later without having to recode your page.
Actually for security you're better off using either $_GET or $_POST .. because using $_REQUEST will allow people to send you GET data when you are expecting POST for example .. and that leads to a less secure system

Cheers
 
Old 04-19-2006, 11:08 PM   #6
Manashi
LQ Newbie
 
Registered: Jan 2006
Posts: 27

Original Poster
Rep: Reputation: 15
Question

hi...
thanks to all for the reply..
i hav used $_SERVER in my code....
i wn to know whether $_SERVER has some security problem
if yes then i will change it to $_POST
 
Old 04-20-2006, 08:13 AM   #7
graemef
Senior Member
 
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,379

Rep: Reputation: 148Reputation: 148
I would say that using $_POST is slightly safer, although it is more related with how you actually write your code. I'll give you an example:

Let us assume that I have a form with a drop down list of countries and I ask you to select you country. The form will then return a number, being the index of the drop down list.

My code now takes that number and formulates an sql command:
Code:
SELECT * FROM country WHERE id = $country_code;
If I get the variabel $country_code from a post then I'm fairly confident that it is correctly formatted, however if I got it from $_SERVER it would be easy for me to change the value of the submitted variable from a number to something like this:
Code:
1;SHOW TABLES
or how about
Code:
1;DROP TABLE country
This would then change the above sql command to essentially two commands. Submitting the variable as a get is a trivial task, whilst altering a POST is slightly more time consuming.

From a security point of view the real problem lies in my sql statement and the really needs to be addressed. But in my view it can't hurt to strengthen the code by using $_POST rather than $_SERVER, but it is only a slight gain over the weakness I have shown above.
 
Old 04-20-2006, 08:38 AM   #8
95se
Member
 
Registered: Apr 2002
Location: Windsor, ON, CA
Distribution: Ubuntu
Posts: 740

Rep: Reputation: 32
From a security standpoint, just putting a post variable in, w/o checking it and/or running addslashes on it is horrid. Post does offer some other security advantages, but not the one your talking about. The added complexity doesn't matter, you should be treating GET, POST, and COOKIE variables as unsafe. Where POST DOES have advantages, is from people using cross-site attacks. Basically, imagine some site had the command, http://www.somedomain.com/forums/deletepost.php?p=2, which would delete a post (2 in this case), but it would only delete it if the person logged in was the site admin. Now let's say someone else sets up a site they know the admin frequents and creates an image tag w/ it's src set to, http://www.somedomain.com/forums/deletepost.php?p=2. If the original site uses cookies, and the admin's session is still good, then that post will be deleted w/o the admin ever knowing! Post makes this much harder, since things like AJAX only work on the domain they came from.
 
Old 04-20-2006, 10:10 AM   #9
graemef
Senior Member
 
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,379

Rep: Reputation: 148Reputation: 148
Quote:
Originally Posted by 95se
From a security standpoint, just putting a post variable in, w/o checking it and/or running addslashes on it is horrid.
I wasn't trying to imply otherwise
 
Old 04-20-2006, 11:22 AM   #10
wundersuprise
LQ Newbie
 
Registered: Apr 2006
Posts: 6

Rep: Reputation: 0
and remember to always check for magic_quotes
 
Old 04-20-2006, 05:01 PM   #11
95se
Member
 
Registered: Apr 2002
Location: Windsor, ON, CA
Distribution: Ubuntu
Posts: 740

Rep: Reputation: 32
Quote:
Originally Posted by graemef
I wasn't trying to imply otherwise
OK, sorry for the implication
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using mod_rewrite and query_string to remove arguments KimVette Linux - Software 3 11-10-2005 10:11 PM
how do i reformat my query_string in PHP? Alexander.s Programming 5 05-02-2005 11:12 AM
PHP $_SERVER['HTTP_REFERER'] returns previous url? ldp Programming 5 03-09-2005 03:27 PM
php $_SERVER value missing dinges Programming 6 12-23-2004 02:09 PM
browser does not convert query_string/url spaces to '+', seeking workaround? Sm0k3 Programming 0 11-25-2003 05:44 PM


All times are GMT -5. The time now is 12:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration