We Keep Coding

Prevent end user manipulating URL to change content on website, method GET PHP

I have a personal search site project I'm building, at the moment the only data that is being displayed on the website is data that is retrieved using SELECT queries and the GET method using the super global $_GET['example']. Now I don't know if I'm doing this wrong but some parts of my page are only displayed if certain GET variables in the URL are set or not empty. Below shows how my URL looks
EXAMPLE: index.php?search_category=guitar&main_category=9&postcode_val1=NP22&distance_default=100&submit=search
I have a lot of these if(isset($_GET['search_category']) type conditions in my website which are replied upon and show particular parts of content depending whether or not these are either true or false.
I have been on a lot of other websites that have similar URL's, I have tried to alter and manipulate these and the content does not break, alter or change in any way yet when i try this with my url it breaks my page and only certain parts of content gets displayed by being based on what is set. Is there some other layer of protection I should add, would using something like a rewrite rule help? The code below shows how I have wrote a drop down box based on what has been set In the URL but if a user edits the URL this is easily broken.
if(isset($_GET['search_category']) && isset($_GET['main_category']) &&
isset($_GET['postcode_val1']) && isset($_GET['distance_default']))
{
$stmt = $getFromUi->dispCategories();
echo "<option value='0'>All</option>";
echo "<option value='#'>-------------</option>";
while($row = $stmt->fetch(PDO::FETCH_OBJ))
{
$selected = '';
if(!empty($_GET['main_category']) && $_GET['main_category'] == $row->cat_id)
{
$selected = ' selected="selected"';
}
echo '<option value="'.htmlentities($row->cat_id).'"'.$selected.'>'.htmlentities($row->cat_title).'</option>';
}
}

It will break because the strict nature of logic you use on your code. The && mark with isset mean any parameter you define not set will not evaluate to true. If the parameter is quite flexible why not ||.
If you need it to still evaluate all parameter try to do limit first if condition to main determiner. like $_GET['search_category'] and use the remaining $_GET['other_parameter'] as needed inside the block code of main if.

You would need to use a post method, so that this goes through as a request instead. In my experiance, get will only fetch the url you open - not actually pass anything through unless its in the URL.
Not sure if that made any sense, but check post out.
https://www.w3schools.com/tags/ref_httpmethods.asp is a good place to start to see the difference of get vs post.

Better way of doing isset($variable) and check variable value

I was wondering if there's a better way than what I always do to check the value of a variable that might not be set? For example :
if(isset($_SESSION['super_user']) && $_SESSION['super_user'] == true) {
echo 'hi super user';
}
It would much simpler to just do this :
if($_SESSION['super_user']) {
echo 'hi super user';
}
But I would end up with a notice of undefined index. Is there another way of doing such kind of simple validation or I must stick with my actual way of doing it?
Thanks

if (!empty($_SESSION['super_user'])) {
// ...
}

You could initially set $_SESSION['super_user'] to false and only set it to true if the user is a super user. Then you can always use if ($_SESSION['super_user']) {}.

For the particular example your current code could be shortened to
if(!empty($_SESSION['super_user']))
however, the right way would be
if ($_SESSION['role'] == 'super_user')
I was wondering if there's a better way than what I always do to check the value of a variable that might not be set?
Yes. Always define all your variables. Like one I posted above. Always have a role element for all your users and there will be no need to check if it ever exists.

PHP undefined index error when clicking a url and invoking a php script

I have a call to a PHP script from my home page which I do like this:
echo 'Delete';
So it is pretty standard.
Then in my PHP I have this code:
<?php
// delete_problem
include '../connect.php'; // Here I have db connection settings
error_log ( ".......in delete problem");
$problem_id = mysql_real_escape_string($_GET["problem_id"]);
?>
And the last line where I try to get the problem_id is throwing the undefined index error. Any idea why?
Thanks!

Have you got an actual connection inside connect.php? Or does it just store variables and the like?
mysql_real_escape_string may be causing a problem as if a connection is not available it will fail.
Beyond that, try echoing out the contents of the GET variable. You can also check whether it exists by using (isset($_GET["problem_id"])).

For values coming from the user, always make sure they are present and possibly validate their format.
Use:
if (isset($_GET['problem_id']) && trim($_GET['problem_id']) != '') {
$problem_id = $_GET['problem_id'];
// make sure it is a number
} else {
echo "No problem id given!";
}
That warning appears because the $_GET array doesn't contain a value problem_id, most likely because it was not passed with the URL.

Bleh, all you people with the mysql_real_escape string...
Always check if a variable is set before you try and assign the value of it to another variable.
Also use (int) to cast!!
if (isset($_GET["problem_id"])){
$problem_id = (int) $_GET["problem_id"];
}

Perform action URL is dynamically generated in PHP

I don't know how to easily describe this, here goes nothing...
I am writing a PHP script to perform an action if the URL is a specific URL, however, the URL is /ref/[VISITOR_USERNAME]. I want to set it so that anytime the URL is /ref/[ANY_TEXT], the action will perform.
if($_SERVER['REQUEST_URI'] == '/ref/' . string . '') {
...perform action...
}
How do I tell the script that if the URL is /ref/ and anything following that to perform the action?
Also, I realize there are other, probably better ways to do this, but for the sake of what I am trying to do, I need to do it this way.
Thanks in advance.

if(substr($_SERVER['REQUEST_URI'], 0, 5) == '/ref/') {
...
}

If you want to check for more you can build a regex:
if(preg_match('/\/ref\/.+/', $_SERVER['REQUEST_URI'])) {
...
}

You may just want to revise your Conditional Statement like so:
<?php
// CHECK THAT THE REQUEST URL CONTAINS "ref/[ANY_STRING_AT_ALL_INCLUDING_SLASHES]"
if( preg_match("#ref\/.*#", $_SERVER['REQUEST_URI'])) {
// NOW,GET TO WORK CODER... ;-)
}

including the php page when two variable are set

hello everyone please help me about this problem
i am sending two variable to the main page and now i want to put the check that if these twi variable are true then called the specific page . here is the sample code
http://localhost/admin/admin.php?page=add_user?view=3
now i want when page and view are set then call a specific page like this
if(isset($_GET['page'])=='add_user' && $_GET['page']=='add_user' ) include("user/add_user.php");
in short i want to call this add_user.php when two variable are set up so please suggest for the above line

<?php
// the url would be http://localhost/admin/admin.php?page=add_user
if(isset($_GET['page']) && $_GET['page']=='add_user'){
include("user/add_user.php");
}
?>

if(($_GET['page']=='add_user') && ($_GET['view']=='3')){include("user/add_user.php");}
but in your GET request, separate variable with &, not a second ?

Use double switch
Pseudocode:
switch($_GET['page'])
..
case: 'test':
switch($_GET['view']){
...
}break;
...

If all of the php files are named after the get request. You could do something like:
if((isset($_GET['page'])) && (isset($_GET['view'])))
{
require_once('user/'. $_GET['page'] . '.php');
}
For obviousness: It'd still need to be escaped, or filtered to see if nothing "bad" is being requested.