.htaccess and filtering $_GET - McMap

About

.htaccess and filtering $_GET

Asked 14/10, 2011 at 15:18 Answered 14/10, 2011 at 23:40

Solved .htaccess mod-rewrite url-rewriting filter-var

W

1

5

Hello I am writing a profile page script, in this script I check the value of an incoming $_GET variable and validate that it is an integer, I then validate this value against a $_SESSION value to confirm that they can only access their own accounts. The code looks like this:

// validate $_GET field 
if(isset($_GET['identity']) && filter_var($_GET['identity'], FILTER_VALIDATE_INT, array('min_range' => 1))) {


if(isset($_SESSION['user_identity']) && ((int)$_SESSION['user_identity'] === (int)$_GET['identity'])) { // if session exists and is === $_GET['identity']
// Proceed with code

This works fine for instance if I try to pass '0','2-2','abc' or no value as the $_GET value the query correctly fails and redirects them to the home page.

What I then tried to do was alter my .htaccess file to map the URLs to 'profile/1' just to tidy it up.

RewriteRule ^profile$ profile.php
RewriteRule ^profile/([0-9]+)$ profile.php?identity=$1 [NC,L]

What I found now is that the page doesn't redirect any more using those invalid $_GET parameters above. It just tries to find 'profile/abc.

Does anyone know why?

Windhover answered 14/10, 2011 at 15:18 Comment(0)

I

10

I use this and it works for me:

RewriteEngine On
RewriteBase /
RewriteRule ^profile$ profile.php
RewriteRule ^profile/([a-z0-9\-]+)$ profile.php?identity=$1 [NC,L,QSA]

Now, how did you get profile/abc? if you try to pass letters in the rule it wont work since you only specify numbers ([0-9]+). If you want to pass letters you will need to use:

RewriteRule ^profile/([a-z0-9\-]+)/?$ profile.php?identity=$1 [NC,L,QSA]

Immobility answered 14/10, 2011 at 23:40 Comment(6)

Thanks, I shall try your rules out. I have no idea, it must be something to do with my .htacces rules because the php statements explicitly rule out anything that isn't === an integer and passing the $_GET in the urls unmasked throws everything else out. – Windhover 15/10, 2011 at 15:4

I just tried it, I still get the same result. How strange, maybe it's some quirk in my system. Appreciate your help though – Windhover 15/10, 2011 at 15:43

I have just page specific reWrites currently, I am early in development. They are just removing the trailing .php extension and the one url allows for ^page/sub-category. The .htacces is in my root htdocs folder along with the site itself. To just clarify in my inital post when i said the page now tries to find "profile/abc" it just tries to find any of the bad examples I listed such as "profile/2-2" or "profile/" – Windhover 15/10, 2011 at 15:56

Maybe you have a conflict between rules, can you show the .htaccess? – Immobility 15/10, 2011 at 15:58

let us continue this discussion in chat – Immobility 15/10, 2011 at 15:58

Thanks to the help of Book Of Zeus who a) took the time to find out that the rule should be: RewriteRule ^profile/([a-z0-9\-]+)$ profile.php?identity=$1 [NC,L,QSA] – Windhover 15/10, 2011 at 16:26

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.