Restricting url query string

[Jack McKalling]

I have been trying everything I can come up with, but it doesn't seem to want to do what I want it to :)If you can, help me please. But I am asking something a bit advanced really :)My site has become an application, like I want it to. It contains three panels, namely the site, user panel and admin control panel and each have their own capabilities. I have organised my site in a certain manner, that it is not possible to go back in history, if you stay on the same panel. So say each panel is a new page, but on each panel you can go to different pages that don't alter the browser's history. Also, each page was buildt by submitting a form, storing the received data into the session, and to send a new location header. It means none of the pages have their own link. The processor of this form is the same document, but with some unique GET varibles added. Those variables are not the ones that determine what page should be viewed though, but only what command was given. So my site has three sorts of commands that controll what action will be taken:ACT, for which panel is the current,GO, to use the loginsystem and to go to a different panel and last but not least,DO.This last variable contains the command the user may give. Like do=openstatistics. I have predefined values that these three variables may pass to the next page. If such command was given, the processor executes the according action, and will then redirect the browser to the page that was constructed by the values that were posted. I hope you can follow me so far :blink:In short what I've just said: I use the GET method to determine what should be done, and to direct the processor to the correct action, and the POST method to have the data to be used by the action posted. And after the action the new page will be viewed, but because it is a redirect, the GET variables dissapeared. Notice that a page like this will be processed after submit:

FunLinks.php?act=user&do=add_movie

And that this page will be the one redirected to:

FunLinks.php?act=user

(ACT will always be visible at all three panels)What I want, clearly, to have ALL query string variables deleted after a redirect, with the exclusion of ACT. So if the user puts in some like this:

FunLinks.php?act=site&do=destroy_funlinks

The redirection would still be:

FunLinks.php?act=site

Tu comprend?Last minute explanation:All actions to be made by the processor, are switched. First the ACT will be validated, then the GO and last the DO. Each of the three variables has its own switch and each allowed value has its own case. There is a default case defined in each switch, to define the action that should be taken when the value equals none of the allowed values. After the action has been taken care of, the redirect redirects to the correct ACT (panel), without leaving the requested GO or DO behind in the new url. But it doesn't if the value was disallowed :blink:All allowed values disappear lovely, but the forbidden ones remain. I want all and each one possible value to be disappeared after the action :blink:In the above example, like trieing to input such nonsens as destroying the site, the nonsens remain in the url. I want, concretely, the querystring (without the ACT) to disappear even if it was not allowed and there was no action taken.I really really really really hope this was clear, as it was difficult to explain and highly possibly not clear enough Please help me

[adservio]

Set up an array with valid values and test the input:

$allowed = array('do' => array('openstatistics','showlinks'));foreach($_GET as $k=>$v){    if(!in_array($v, $allowed[$k])){      // reset to a default value      $_GET[$k] = $allowed[$k][0];    }}

Maybe this will help.

Edited June 3, 2006 by adservio

[Jack McKalling]

No it doesn't help :)I have been thinking of arrays, but they won't help. It is just that the switches already determine if the value is allowed or not (if it is defined, else do the default action). But somehow, the GET variables remain in the link.That is because I want the ACT to remain in the link, including the GO and DO, but only if they contain valid values. This becomes before the switches for the correct action. This is the default action to be taken when the DO variable contains an invalid value:

default: if (@$_GET['do'] != "" && ereg("^(low|high)$",$URLQueryChk))  { header("Location: FunLinks.php".((ereg("^(user|prof)$",$Act)) ?"?act=$Act" :"")); }break;

$URLQueryChk is the setting that says if the URL checking should be take place, low, high or off. And $Act is the super global variable that says what panel is on (like the ACT in the url).This is the default case of the switch for DO. If DO contains a value that has no unique case in the switch, this case will be executed. If the value is like "destroy_funlinks" this will be executed, and should remove the query string exapt for the ACT variable. But it doesn't --------Forget all my explanations. Forget the above. The problem that then remains, is the following.I want the switches to redirect to this document without leaving other variables than ACT. If there is GO or DO defined, then only the allowed values should remain, not the values that aren't supported. In other words, redirect to FunLinks.php with the correct ACT, and only leaving DO or GO when the value is allowed, any other way it should be deleted. How?

[justsomeguy]

Why are you including other querystring variables at all? Why doesn't this work:

switch ($act){  ...  case 'site':    header("Location: FunLinks.php?act=site");    exit();    break;  ...}

It will only redirect to whatever you tell it to, so I guess the obvious answer is don't include those things when you are redirecting.Also, don't use & in the querystring, only &. Something like this:FunLinks.php?act=user&do=add_moviewill create a variable called 'act' with the value 'user', and another variable called 'amp;do' with the value 'add_movie'. The & separates variables, & is the HTML code for displaying an ampersand on the page itself.

[Jack McKalling]

Also, don't use & in the querystring, only &.  Something like this:FunLinks.php?act=user&do=add_moviewill create a variable called 'act' with the value 'user', and another variable called 'amp;do' with the value 'add_movie'.  The & separates variables, & is the HTML code for displaying an ampersand on the page itself.

But where the entity & was, was in a php string, it was actually a bugfix and should be so. But if it comes to inputing in the addressbar, then you're correct, my mistake.If I do it like you said, directly redirect to what ACT was defined, all DO and GO will cease to work. They must be included or else I won't be albe to command the application to do anything. This is because it is all in one file and no difference between processors that do different things, so there must be some sort of something that cleares out what exactly to do. Do you see?

[justsomeguy]

switch ($do){  ...  ...  default:    $do = "";    break;}header("Location: FunLinks.php?act={$act}&do={$do}");exit();

If do was not in the switch statement, then it gets set to empty, and doesn't get passed to the next page.

[Jack McKalling]

All right, I made a mistake.The above code did actually work, I didn't set the Checking setting to high, so I as an administrator would not get the checking. When I did, it returned me to a clean url just as I want.But the real problem appears to be something else.If a user puts in nonsens, the script actually is able to succesfully remove it, but not in the following case. If a user puts in a certain variable twice, ending with an allowed value, the query was recognised as valid. However, I too want to remove nonsens as double variables And that was what didn't work...

[justsomeguy]

I just don't understand why things are getting added to the URL automatically. If you are setting the URL yourself, why are you adding things that you don't want to be there?

[Jack McKalling]

Things get added automatically, but those are the allowed ones. They will be accepted and processed internally and as it should, not be visible(because the form's action script will return the orriginal url)But when a user puts in nonsens, that is what I mean, the nonsens should also disappear. A user is at a page like FunLinks.php?act=user. He submits a form that requests the page FunLinks.php?act=user&do=something. That page is processed, without outputting anything. After the action, a location header will be sent, to again the page FunLinks.php?act=user. Do you understand?So instead of submitting a form, a user may put in stuff in the addressbar that doesn't belong there, and try to get to that page. In that case, it should dissppear. It does due to my url checking code, but if the querystring contains duplicate variables and the last one that will be taken is valid, then it doesn't disappearJust to make sure a user cannot put in anything that doesn't do anything

Edited June 4, 2006 by Dan The Prof

[justsomeguy]

Well, I doubt this is much a problem, I don't think people go around typing things into the querystring, and any invalid values would not result in anything anyway. But if that's what you want, then edit the code that builds the URL so that it does not add any non-allowed values. I guess that seems like the obvious answer, am I missing something?

[Jack McKalling]

I don't understand :)As you explain this, I don't see any problem either :)Howcome I have been trying things for ages to get what to work? :)After analysis of this code, I see it should solve my problem. Consider this topic solved because I can't remember what was wroing in the past, for that I posted this topic. [*Edit:]The sollution to "restricting the query string", is exactly what I already have, I am stupid.

Edited June 5, 2006 by Dan The Prof