Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming How can I secure this little.
How can I secure this little.
  • El Forum
    Guest
  •  
#1
09-07-2008, 08:37 PM

[eluser]phantom-a[/eluser]
I created a redirection. Basically they click on the link on my Directory script I'm creating and it looks like this.

http://example.com/index.php/go/hits/1

Where the 1 on the end of hits is the ID used in the Mysql query to find the corresponding url the script loads view/redirect_url.php where I put print the url in a javascript redirect.

But what if that number doesn't exist?? What if someone puts some numbers on by purpsoe or puts letters on it? Right now it will show a blank page. I would like to show a 404 not found. This my code, how can make an if statement that checks the ID in the query so that if the ID doesn't exist it would echo a not found error?

Code:
function hits()
    {
    
     $data['title'] = "Redirection..";
     $data['heading'] = "Prepare to be redirected to...";
//Get the URL from the ID
     $data['query'] = $this->db->query('SELECT `url` FROM `links` WHERE `id`='.$this->uri->segment(3).'');
     //update hits
     $this->db->query('UPDATE `links` SET `hits`=hits+1  WHERE `id`='.$this->uri->segment(3).'');
     $this->load->view('redirect_url', $data); // this go to a page there redirects by javascript with the url.
    }
  • El Forum
    Guest
  •  
#2
09-07-2008, 09:23 PM

[eluser]Frank Berger[/eluser]
try this:

Code:
function hits() {
    
     $data['title'] = "Redirection..";
     $data['heading'] = "Prepare to be redirected to...";
     $data['query'] = $this->db->query('SELECT `url` FROM `links` WHERE `id`='.$this->uri->segment(3).'');
     if ($data['query']->num_rows() != 1) { // check if we have exactly one result
        ob_end_clean(); // just in case
        header("HTTP/1.0 404 Not Found",true); // wanna be nice
        echo '404 not found';  // optional
        die; // get outta here
     }

     $this->db->query('UPDATE `links` SET `hits`=hits+1  WHERE `id`='.$this->uri->segment(3).'');
     $this->load->view('redirect_url', $data); // this go to a page there redirects by javascript with the url.
}

cheers
Frank
  • El Forum
    Guest
  •  
#3
09-07-2008, 11:30 PM

[eluser]phantom-a[/eluser]
Thanks Frank that works. Smile Except for that ob_end_clean() it makes a PHP error occur.

What about if someon inserts a letter into the ID? like hits/1a
It throws instead a SQL error.


Quote:A Database Error Occurred
Error Number: 1054
Unknown column '1a' in 'where clause'
SELECT `url` FROM `links` WHERE `id`=1a
  • El Forum
    Guest
  •  
#4
09-08-2008, 12:09 AM

[eluser]Frank Berger[/eluser]
Oh ok, wasn't sure if something collected output or not. It's (just) a notice anyway in that case. remove the ob_end_clean(), no harm anyway.

for your other problem 2 possibilities:

1.) if you want to force the query to work do it like this:
Code:
$data['query'] = $this->db->query('SELECT `url` FROM `links` WHERE `id`='.intval($this->uri->segment(3)).'');
in this case it will be converted into an int, no matter what. the conversion will be as follows:
2 => 2
'2a' => 2
'a2' => 0
'a' => 0
you can then for example insert a url with the id=0 which is an errorpage in fact, or just don't insert a 0 and let the failover catch it.

it is btw good practice to do the intval anyway, to catch 'missgivings'

2.) you can qualify your input:
Code:
function hits() {
     $data['title'] = "Redirection..";
     $data['heading'] = "Prepare to be redirected to...";
     $data['query'] = false; // unset/reset the query in case we don't create it
     if (is_int($this->uri->segment(3)) $data['query'] = $this->db->query('SELECT `url` FROM `links` WHERE `id`='.intval($this->uri->segment(3)).''); // only execute if the id is an int

     if (!is_object($data['query']) || $data['query']->num_rows() != 1) { // check if we have an executed query and exactly one result
        header("HTTP/1.0 404 Not Found",true); // wanna be nice
        echo '404 not found';  // optional
        die; // get outta here
     }

     $this->db->query('UPDATE `links` SET `hits`=hits+1  WHERE `id`='.intval($this->uri->segment(3)).'');
     $this->load->view('redirect_url', $data); // this go to a page there redirects by javascript with the url.
    
}

hope this helps better Smile

cheers
Frank
edit: it's is_int, not isint
  • El Forum
    Guest
  •  
#5
09-08-2008, 12:39 AM

[eluser]phantom-a[/eluser]
Once again Frank thanks Smile
Your method didn't not work, it threw parse error, unexpected T_VARIABLE on the line
Code:
if (is_int($this->uri->segment(3)) $data['query'] = $this->db->query('SELECT `url` FROM `links` WHERE `id`='.intval($this->uri->segment(3)).''); // only execute if the id is an int


But I didn't know about intval() and I"m always up for learning about the Variable handling Functions. This was great you mentioned this. So Thought of just passing the segment ID into it first then pass it into the query as you see my code,
this which works now 100%. Smile
Code:
$data['title'] = "Redirection..";
     $data['heading'] = "Prepare to be redirected to...";
     $URL_ID = intval($this->uri->segment(3)); //Turn into integers so no wankers try to pass letters into the query
     $data['query'] = $this->db->query('SELECT `url` FROM `links` WHERE `id`='.mysql_real_escape_string($URL_ID).'');
     if ($data['query']->num_rows() != 1) { // check if we have exactly one result

        header("HTTP/1.0 404 Not Found",true); // wanna be nice
        echo '404 not found';  // optional
        die; // get outta here
     }
    
    

     $this->db->query('UPDATE `links` SET `hits`=hits+1  WHERE `id`='.mysql_real_escape_string($URL_ID).'');
     $this->load->view('redirect_url', $data); // this go to a page there redirects by javascript with the url.
}
  • El Forum
    Guest
  •  
#6
09-08-2008, 12:55 AM

[eluser]Crimp[/eluser]
CI has built in error handling. It's very handy. See the user guide. I like the custom template for situations where people may speculate in an article ID or similar; you can then put up a page stating that the article in question is not available and offer some options for redirection.
  • El Forum
    Guest
  •  
#7
09-08-2008, 01:09 AM

[eluser]phantom-a[/eluser]
[quote author="Crimp" date="1220874905"]CI has built in error handling. It's very handy. See the user guide. I like the custom template for situations where people may speculate in an article ID or similar; you can then put up a page stating that the article in question is not available and offer some options for redirection.[/quote]

ah good call, So change my code to now.

Code:
if ($data['query']->num_rows() != 1) { // check if the ID exists or 404 page
  show_error('The Link requested was not found');
     }

Which looks a better showing the nice css styled CI 404 page.
  • El Forum
    Guest
  •  
#8
09-08-2008, 02:03 AM

[eluser]Sumon[/eluser]
It's not 404 by the way. it's error_general.php not error_404.php Wink




Theme © iAndrew 2016 - Forum software by © MyBB