hi I have a site where the links menu is read from a database and created in the format of index.php?page=mypage
how can I chec开发者_Go百科k that "mypage" is a page that exists in the database, so that users can't just add anything into the url?
thanks xx
If your pages are stored within the database: check the result set of the SQL-Query you´re sending to the database and don´t forget to escape characters to deny possible SQL-injection... ( mysql_real_escape_string()
)
Use a whitelist approach, something like this:
$allowedKeys = array('myPage', 'yourPage', '...Page');
$_GET = array_intersect_key($_GET, array_flip($allowedKeys));
精彩评论