When the link is correct

brad62 · February 11, 2013, 10:28am

Sometimes when I make websites I have a unique link, where the user is clicking (usually from an e-mail) and they end up at www.mypage.com/campaign.php?code=1x2x34jkiureeleWSac

Then I can check the code and see that the user actually did go to the page and save things to my stats.
But, sometimes I’ve noticed that users remove the last bit of code and the go to www.mypage.com/campaign.php
I guess they remove the last part of the URL, since they don’t want me to know that they were there or whatever.

So, now I thought about making something to check that the code is actually there. If there is no code in the url, then they’ll be redirected to a page saying that there is no page here. Or that they didn’t enter the correct url or something like that.

I guess people here have a great idea on how to make this or what I should think about when making it.

If I have a table called tbl_user with fields for username, user_code

chris_upjohn · February 11, 2013, 11:33am

I would simply check the $GLOBALS to see if such parameters as code exist then perform an action if it doesn’t.

if (!isset($_GET['code']) || (isset($_GET['code']) && !preg_match('/^[\\w\\d]+$/', $_GET['code']))) {
    // Do something here...
    exit;
}

brad62 · February 11, 2013, 12:34pm

But, what if the user just puts anything else there? Like changing the code or whatever? Wouldn’t it be better to check if the code is in the db in some way?

chris_upjohn · February 11, 2013, 1:08pm

That is why I left the “//Do something here” comment there since I don’t know what you’re using to connect to the database.

Sent from my iPhone using Tapatalk 2

brad62 · February 11, 2013, 1:25pm

So, your code is checking if there is something at all after the “code”?
But isn’t just the following enough to check that?

if (!isset($_GET['code'])) {
    // Do something here...
    exit;
}

Or what about making a query that is looking for the code in the db.
If there’s no match, then just a header redirect?

Or am I not getting it?

StarLion · February 11, 2013, 1:52pm

His code reads as:

If $_GET[‘code’] is not on the command line, OR $_GET[‘code’] is set and there is something other than 0-9, a-z, A-Z, or _ in $_GET[‘code’], you will “do something” (btw, Chris, \d would overlap entirely with \w, so it’s redundant to have \d in there)

brad62 · February 11, 2013, 2:05pm

But isn’t it enough to ask the db if the code is in there. Otherwise do something, like showing another page? I don’t get it.
Because, if the code isn’t correct, then they are not allowed anyway.

StarLion · February 11, 2013, 2:11pm

That would work, but be careful to sanitize your input before you put it into a query. (which, effectively, is what chris’ regex does; it makes sure that the string is just letters and numbers (and underscores).

brad62 · February 11, 2013, 2:19pm

What is that? What else could someone input to make something else?

StarLion · February 11, 2013, 2:23pm

Simple injection?

if, instead of your code, they put… “'; TRUNCATE codes; SELECT * FROM codes where code = '”…

and you stick it into your script like:

$query = “SELECT * FROM codes WHERE code = '”.$_GET[‘code’].“'”;

your actual query string becomes…
SELECT * FROM codes WHERE code = ‘’; TRUNCATE codes; SELECT * FROM codes where code = ‘’

and then your data go boom.

You never, ever, use variables the user could POSSIBLY TOUCH without sanitizing them, preferably also using prepared statements in your database implementation.

brad62 · February 11, 2013, 2:27pm

So, everytime I have a code like that I need to check it before making a query?
Is there a simple line I could add to my pages to do this without starting all over?

brad62 · February 11, 2013, 2:34pm

Oh, now I found something on that.

So, maybe I should put a code like this on my pages where I’m asking for input?

$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);

And then remove whatever is written before the .php

Like this

$page = substr($page, 20);

Then I would get the things that are in the string,but not the first 19 (or whatever I need to have there).

brad62 · March 8, 2013, 2:04pm

If I use the sanitize like this:

if (!isset($_GET[’code’]) || (isset($_GET[’code’]) && !preg_match(’/^[\\w\\d]+$/’, $_GET[’code’]))) {
    // If not correct I put a header redirection sending them to an error page.
    exit;
}

And then have this on the first landing page. Then I thought I could make a session to use for this user to follow them around on the following pages. Then I don’t have to do this sanitize thing on following pages. Right?
Or is there anything else I have to think about here? Im all new to this.

Cups · March 9, 2013, 9:02am

Or is there anything else I have to think about here?

What you are doing with this regex here is Filtering Input (part of FIEO - Filter Input Escape Output) - so yes, if you are not aware of FIEO then go and read up on it pronto.

So, everytime I have a code like that I need to check it before making a query?
Is there a simple line I could add to my pages to do this without starting all over?

Prior to building your sql query you should be doing the Escape Output part, by using PDO or Mysqli and their prepared statements to protect your db from the SQL injection attack described previously.