1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bit of a beginner question :p

Discussion in 'HTML, Graphics & Programming' started by Craig321, 28 Mar 2006.

  1. Craig321

    Capodecina

    Joined: 2 May 2004

    Posts: 19,974

    Hi,

    This is very noobish of me, from what I can see this is perfectly safe. I just wanted something simple to help keep the php file numbers to a minimum and nice & neat. Just want my script to be as secure as possible :)

    I can't see any security exploits in this, & I really don't think the strip_tags is necessary, is it?

    The code:
    Code:
    <?
    
    $mode = $_GET['page'];
    
    if(empty($mode))
    {
    	echo 'This is the page that\'s shown if there\'s no mode specified';
    }
    
    else if($mode == "edit")
    {
    	echo 'This is the page that\'s shown if "editprofile" is in mode';
    }
    
    else if($mode == "view")
    {
    	echo 'This page will show someones profile with &uid=id';
    }
    
    else
    {
    	// If none of the above or something invalid is entered then redir to this file which will show the default page.
    	header("Location: ddd.php");
    }
    
    ?>
    
     
    Last edited: 28 Mar 2006
  2. robmiller

    Capodecina

    Joined: 26 Dec 2003

    Posts: 16,522

    Location: London

    Why strip the HTML out of mode if you're never outputting it?
     
  3. Craig321

    Capodecina

    Joined: 2 May 2004

    Posts: 19,974

    Good point lol, sometimes I make things longer and harder for myself :(

    Ok, I edited it out. Is there no way the above can be exploited then?

    Craig.
     
  4. Pine

    Hitman

    Joined: 5 Jun 2004

    Posts: 515

    Location: Cambridge

    Why don't you use a switch?
     
  5. Craig321

    Capodecina

    Joined: 2 May 2004

    Posts: 19,974

    Are switches safer than what I'm doing?
     
  6. toastyman

    Gangster

    Joined: 30 Dec 2005

    Posts: 421

    Not safer, just more efficient.
     
  7. Craig321

    Capodecina

    Joined: 2 May 2004

    Posts: 19,974

    Ok, will use switches. Thanks :)
     
  8. Craig321

    Capodecina

    Joined: 2 May 2004

    Posts: 19,974

    Ok, I did this:

    Code:
    <?php
    
    switch ($_GET['page']):
    
    case page1:
       echo "page1";
       break;
    
    case page2:
       echo "page2";
       break;
    
    case page3:
       echo "page3";
       break;
    
    default:
       echo "default page";
       
    endswitch;
    
    ?> 
    
    That all looking good and safe? I can't see any way to exploit that myself, but there could be some complicated way. You never know!

    Craig.
     
  9. lookitsjonno

    Mobster

    Joined: 10 Sep 2003

    Posts: 4,318

    Location: Midlands

    should work with a few E_WARNING's... surround your cases with quotations as PHP will assume your trying to use constants.

    e.g

    case 'page1':

    not

    case page1:
     
  10. Inquisitor

    Capodecina

    Joined: 12 Apr 2004

    Posts: 11,788

    Location: Birmingham

    Looks fine to me. As long as you're not using any user-derived data directly for output/headers or querying with no sanitation, then it should be safe.

    Also, for the sake of consistency, I'd recommend you use C-style syntax for switch-statements:
    Code:
    switch ($foo)
    {
        case "bar":
            // stuff
            break;
        default:
            // stuff
            break;
    }
    
     
  11. Craig321

    Capodecina

    Joined: 2 May 2004

    Posts: 19,974

    Thanks :)

    Also, it's just to keep it so I can basically have multiple pages within one file so I don't have to have tons of files, makes it look neater ;)

    Thanks for the help everyone :)