Step 1: Product Detail Page
Have you ever noticed websites that have product names as the page URL's, instead of the standard URL like: product.php?id=543
In our tutorial series on building a URL re-writter in PHP we'll show you how to implement this in your already existing website.
Tutorial #1 - Building the Product Detail Page
Here's we'll build a product detail page that get's it's lookup value from the URL.
I put this code on the top of the page so it retrieves the script URL.
<?php
$pageName = $_SERVER["SCRIPT_URL"];
$pageName = strip_tags($pageName);
$pageName = stripslashes($pageName);
$pageName = str_replace("/", "", $pageName);
?>
then I changed the SQL statement to use the varaible $pageName:
Beware of hackers
One part of this procedure creates a few vulnerabilities. In step one, when you check for a existing file, you actually access the file system of your server.
Usually, requests from the web should have very limited rights, but this depends on how carefully your server is set up. If someone entered ../../../ or something like /.a_dangerous_script, this could allow them to access directories below your web-root or execute scripts on your server. It?s usually not that easy, but be sure to check some of those possible vulnerabilities.
It?s a good idea to strip HTML, JavaScript (and maybe SQL) tags from the querystring; HTML and Javascript tags can easily be removed using strip_tags(). Another wise thing to do is limit the length of the query string, which you could do with this code:
if(strlen($REQUEST_URI)>100){
header("HTTP/1.1 404 Not Found"); exit;
}
If somebody enters a query string of more than 100 symbols, a 404 is returned and the script execution is stopped. You can just add these (and other security related functions) at the beginning of the script.
