[GLLUG] [ot]php/javascript web devel

Jason D. Justman justmanj@msu.edu
Sat, 16 Feb 2002 22:37:50 -0500 

If you are posting it, then why not just include a

<input type=hidden name=url value=<? echo $REQUEST_URI?>>

or

<href=http://www.whatever.com?url=<? echo $REQUEST_URI?>

to the posting <form>'s tag?  then you now have $url to work with in your new
script..  The problem is (passing $REQUEST_URI) im assuming you aren't checking
the validity of the $url now presented to you.  you open yourself up the
possibility of whats called the 'cross site scripting vunerablility'..
essentially taking untrusted user data from your script and using it.

There are a bunch of different ways to do it.  and a bunch of ways to do it
which might be baaaad..

You should really be checking to see if the url you are going to be including in
the email is in fact a valid email.  And check for those pesky <script> tags..
Even if it is over email, sometimes people like to urlencode links, which can
hide <>'s..    Similarly, add in checks to see if the same host isnt requesting
the same article sent to the [same][multiple] users ;).  You've done all that,
right?

A more complex way is to pass along some kind of unique identifier (not an
AUTO_INCREMENT field from a db, please, thats too guessable) such as a md5 hash
(limited to say..  16 characters)...  and then verify the data from the
corresponding entry from a db..  otherwise, its probably not valid..  Likewise,
you could parse the $REQUEST_URI, but thats also complex..

j
Mike Szumlinski wrote:

> I'm trying to write a real simple script right now that I see all the time.
> It is basically the "e-mail this to a friend" link you see at the bottom of
> lots of news pages and what not. The actual mail form is simple, but does
> anyone know how to pull the current url (after a post method submit) into a
> php variable? Is it doable with just php, or do I need javascript too?
>
> -Mike
> -=--===---===---===---===-=-
> |Mike Szumlinski           |
> |Michigan State University |
> -=--===---===---===---===-=-
> "We are what we repeatedly do. Excellence, then, is not an act, but a habit"
>
>                                                                  -Aristotle
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user