let say I have a post that can be found on page post.php?pid=60 but if the user changes the url to post.php?pid=95 the page is displayed all weird is
there a way I can have them redirected to another page that says post dosn't exist or something? If so how would I do this? And is this the best way to handle none existent pages? If not what is preferred?
I'm using PHP & MySQL if that helps.
get the post from DB by the given $_GET["pid"]
if a post is found (ie. given pid existed)
then display it normally
else include the error page content / use header to redirect to the error page, etc.
Hope the logic helps you
well, you could try to select the post from the database, and if the query brings nothing you redirect to the page that shows all posts. it makes more sense to me than exhibiting a "page not found" message (in this case). the idea is something like this:
$result = query('SELECT * FROM posts WHERE id=60');
if( ! $result)
redir('all_posts.php');
this is just for picturing the problem. i'm assuming that the query function returns false, null or even an empty array if no rows are returned, instead of the usual mysql resource.
just remember to add an exit; (could be in the redirect function) to not let the page renders all weird.
You should be checking if there is data being returned in the database, if there is not then you display the error message.
Do you have any supporting code? Here is a mock-up:
$pid = isset($_GET['pid'])?(int)$_GET['pid']:0; // use the ternary operator to set a default value
if (!empty($pid) {
$res = mysql_query("SELECT columns FROM table_name WHERE pid = $pid") or trigger_error('MySQL Returned: ' . mysql_error());
$rows = mysql_num_rows($res);
if ($rows > 0) {
// display the data
}else {
// There is no data so display the no-data page
}
}
It may not work exactly for you, as you will have to tweak it, but should give you a rough idea.
Related
I am trying to setup a PHP document but I currently am looking for a way to use the die() function and display some content on every page using my global configuration file. The way I am think how it should work is that IF the requested URL (e.g. domain.com/services/disabledservice) would have /services/disabled service and a value of 1 to make the value true in a MYSQL DB.
The plan is to have the URL be collected and checked with a table than if the row has a value of 1 for status it will display a disabled page message but if it’s 0 it will load normally.
Some research I have conducted may lead be to think that using the SQL query and the if function could work for this.
The idea I have is this but it may not be correct.
<?php $pageurl = [requested URL content here]
$checkstatus = "SELECT * FROM servicestatus WHERE page =" . $pageurl . "AND status = 1";
if ($status = mysqli_query($conn, $servicestatus)) {
if (mysqli_num_rows($status) = 1) { ?> html content here
<?php }
} else { ?>
page as normal
<?php } ?>
Edit:
To explain what I am trying to do.. I am trying to fetch the URL without everything past “?” Than I am trying to use that in a DB query to check with the database if that has a value of “m” or “d” and if it has one of those values next to the URL which is being fetched it will display the appropriate error page. This is being included as part of my core configuration file which includes my “$conn” and the core values for most stuff. The problem I am facing is that when I send my URL without everything past the “?” I am not receiving my error page and everything is loading like normal.
Use any one the following php functions:
include 'path_to_the_page.php' (or) require 'path_to_the_page.php';
The difference between include and require arises when the file being included cannot be found: include will emit a warning ( E_WARNING ) and the script will continue, whereas require will emit a fatal error ( E_COMPILE_ERROR ) and halt the script.
I have a personal search site project I'm building, at the moment the only data that is being displayed on the website is data that is retrieved using SELECT queries and the GET method using the super global $_GET['example']. Now I don't know if I'm doing this wrong but some parts of my page are only displayed if certain GET variables in the URL are set or not empty. Below shows how my URL looks
EXAMPLE: index.php?search_category=guitar&main_category=9&postcode_val1=NP22&distance_default=100&submit=search
I have a lot of these if(isset($_GET['search_category']) type conditions in my website which are replied upon and show particular parts of content depending whether or not these are either true or false.
I have been on a lot of other websites that have similar URL's, I have tried to alter and manipulate these and the content does not break, alter or change in any way yet when i try this with my url it breaks my page and only certain parts of content gets displayed by being based on what is set. Is there some other layer of protection I should add, would using something like a rewrite rule help? The code below shows how I have wrote a drop down box based on what has been set In the URL but if a user edits the URL this is easily broken.
if(isset($_GET['search_category']) && isset($_GET['main_category']) &&
isset($_GET['postcode_val1']) && isset($_GET['distance_default']))
{
$stmt = $getFromUi->dispCategories();
echo "<option value='0'>All</option>";
echo "<option value='#'>-------------</option>";
while($row = $stmt->fetch(PDO::FETCH_OBJ))
{
$selected = '';
if(!empty($_GET['main_category']) && $_GET['main_category'] == $row->cat_id)
{
$selected = ' selected="selected"';
}
echo '<option value="'.htmlentities($row->cat_id).'"'.$selected.'>'.htmlentities($row->cat_title).'</option>';
}
}
It will break because the strict nature of logic you use on your code. The && mark with isset mean any parameter you define not set will not evaluate to true. If the parameter is quite flexible why not ||.
If you need it to still evaluate all parameter try to do limit first if condition to main determiner. like $_GET['search_category'] and use the remaining $_GET['other_parameter'] as needed inside the block code of main if.
You would need to use a post method, so that this goes through as a request instead. In my experiance, get will only fetch the url you open - not actually pass anything through unless its in the URL.
Not sure if that made any sense, but check post out.
https://www.w3schools.com/tags/ref_httpmethods.asp is a good place to start to see the difference of get vs post.
I have a database with just over 800 data.
product table
pid name p_page
1 money money.php
2 gold gold.php
3 .
. .
. .
800 .
I have 2 pages...
product_item.php
<div class="button">
View
</div>`
when you click view the product info is pass to product.php
in here i have
if (isset($_GET['pid'])) {
depending on what product the user clicked on the URL might look like something below but the 44 will change to whatever id
http://www.example.x10.mx/money.php?pid=44
the problem with this, is that money.php have a different layout to the other pages and if I change 44 to 68, the product info will show on the page but the layout will not look good.
My question
what is the best way for me to stop users from being able to change the url.
I want to encrypt all my pid in the url so it will look something like
http://www.example.x10.mx//money.php?sel=the product name here or 4 letters or anything
I just want to take away pid from the url.
Please help me. If you dont understand my question please ask in the comment and try and say what you think you understand.
Edited to show my fetch function
$php = "php/";
$apages = "account/";
$bpages = "booking/";
$gpages = "general/";
$ppages = "product/";
// Global functions
function fetchdir($dir)
{
$protocol = $GLOBALS['protocol'];
$host = $GLOBALS['host'];
($dir == $GLOBALS['apages'] || $dir == $GLOBALS['bpages'] || $dir == $GLOBALS['ppages'] || $dir == $GLOBALS['gpages'] ? $branch = $GLOBALS['pagebranch'] : $branch = $GLOBALS['branch']);
echo $protocol.$host.$branch.$dir;
}
Thanks
p.s. I dont know if this can be done in .htaccess but i think it can be done in php
Some clarification:
I have a url which looks like this
www.example.com/account/product.php?pid=1
the problem with this is that someone can change 1 or any number and if they is a pid in the database with that number it will get the items information and display on the page. Which I don't want to happen because not all product are meant to be display in some pages.
In the papge which i show all my available product. I simple uses a SELECT statement and then echo what I need in some div.
In that page I have a view button.
$stmt = $conn->prepare("SELECT * FROM Product WHERE Type = 'shoes'");
$stmt->execute();
$i = 0;
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) {
$id = ($row['pid']);
$product_page ($row['dir_page']);
<div class="button" >
<a href = "<?php fetchdir($apages) ?><?echo $product_page?ProdID=<?php echo $id>" > View</a >
</div >
}
Depending on the page that information is getting sent to when you click on view I use Get method
<?php
if (isset($_GET['pid'])) {
// Connect to the MySQL database
dbconnect();
$id = preg_replace('#[^0-9]#i', '', $_GET['pid']);
}
If you notice in my select statement used type to show only the product which type is shoes. I have other types as well, which as their other pages. Now the problem is if i change the pid to any page that doesn't have a type of shoes or if an in the other pages and enter a pid which type is shoes or anything, the information from that page will still render. Which I don't want to happen.
My question
how can i stop users from changing that pid and even if they change it. they will still be on the same page?
The problem isn't having the PID in the URL, it is having the template name in the URL.
Store the template name in the database (you are doing this already), and use that to determine what HTML to wrap the data in instead of putting it (money.php) in the URL.
Move your templates out of the web root (they shouldn't be hit by users directly), have a single index.php and then include() the template based on the data in the database.
You cannot prevent someone from changing the URL or from requesting arbitrary URLs. Your server (i.e. your app) has to decide how to respond to an invalid request. If you don't want to display certain things publicly, flag them as such in your database, test for that flag and simply refuse to output anything if that flag is hit.
Make the server respond negatively if something doesn't fit your conditions; don't expect the user to behave correctly.
Assuming that PID is a autoincrement value, you can still obfuscate it. Add another column in the table that contains a randomly-generated key (using uniqid or some derivative). Then use that key in your URL. You'll get something like: www.example.com/account/product.php?pid=II8GypI6H93Ij. This doesn't guarantee that someone won't find it, but it's good enough in most instances.
Check for allowance in the Database
Depending on your level of programming skills, in the database you could add a field or a relational table that relates the ID of the pages to allowed page templates (I'm guessing you're talking about templates.)
Then in the code you can make it so the page checks this database to see if the page contents are allowed to show. Something like:
$query1 = "SELECT * FROM Product WHERE Type = 'shoes' and allowedTemplate='1'";
This way you won't have to hardcode everything into the code itself. On the backend (if there is a CMS) then you could have checkboxes indicating the relationships to the templates and prefill them by default.
You'll need to make the site so something with that stuff though.
Your other option
You could use clean urls (which used to be better for SEO) to show real words instead of the IDs. Then you can use .htaccess tricks to convert the URIs to their ID counterparts with a dynamic RewriteMap.
Hey guys,
PHP and MySQL newguy here. Wrote this php file which display the content of a row relative to the ID stated in the URL ( eg row 3 is file.php?id=3 ), heres the source: http://pastie.org/1437017
If I goto an id to which the relative row does not exist (eg .php?id=99999999999999), what do I put to in to get it to redirect to another page or echo 'FAIL'. I though about using the if command, but couldn't figure out the syntax. I also looked around the web, but no avail.
Thanks guys
You have the following line:
$name=mysql_result($result,$id,"name");
If there is no row with the id $id, $name will be false. You could therefore do the following:
if (!$name) {
header('Location: http://yoururl.com');
die();
}
Better yet would be to modify your query to this:
$query="SELECT * FROM likes where id=$id";
and then do
if (!$num) {
header('Location: http://yoururl.com');
die();
}
where $num is the number of row returned, as set in your existing code.
Edit As noted elsewhere in this question, it is probably better to serve a 404 Not Found page with appropriate content, rather than redirecting to another page. I can just about imagine a situation where redirection is appropriate, but if your redirection page says "item not found", this is the wrong approach.
I'd redesign your query to something like
SELECT * FROM table WHERE id = $id;
where $id is the $_GET value - sanitised of course.
if that query returns any results (mysql_num_rows($result)==1)
then you know a valid record has been found. If not, the id doesn't exist, so you can throw an error/redirect.
mysql_num_rows() gives you the number of rows in your select, so if that value is 0, you know there isnt any row with that given id.
if (mysql_num_rows($result)==0){
echo "There are no rows with this id";
}else{
// Your normal code
}
Here's a situation, i have a list of support tickets that when you click the title of the ticket takes you to a page that displays the ticket in more detail. If uses URL GET variables to query the database. I've taken SQL injection into account but what if someone modifies the url to an id that doesn't exist? whats the best way to deal with that?
Thanks,
Jonesy
If the ID does not exist, send a 404 - Not Found header along with a nice error page telling the user that it wasn't found.
You probably have to make a page handling unsuccessful searches anyway; just route it in there. Then you can help the user to find what (s)he searches in a consistent way, provide cues and "most-searched-after" and what not.
This may seem too simple, but you should always validate your GET (or POST) variable before doing anything with them. In your case, just verify that the ID exists in the database. If it doesn't, inform the user.
You should always check if your query returned anything. If it returned 0 rows, the ID doesn't exist.
<?php
$result = mysql_db_query("your query", $link);
$num_rows = mysql_num_rows($result);
if($num_rows < 1) {
// row with that id doesnt exist
// do whatever you want
} elseif($num_rows > 1) {
// you have problem with your ids in db
} else {
// everything went fine
// do your thing here
}
?>
Check if the ticket exists; if not, react accordingly. What "react accordingly" means is determined by your business logic: create a new ticket? raise an error? take the user to a list of available tickets?
An example using the old mysql extension for brevity:
$sanitized_numeric_id = (int) $_GET['ticket_id']; // assuming id is numeric
$query_resource = mysql_query('SELECT `somecolumn`, `column2`, `othercolumn`
FROM `tickets`
WHERE `id`= ' . $sanitized_numeric_id);
if (mysql_num_rows($query_resource) > 0) {
// the ticket exists, do something with it
} else {
// the ticket doesn't exist, react accordingly
}