-1

i am making a News system for http://red-sec.net
currently i have 3 pages:

  • index.php | View the latest News and select which one to read
  • article.php | View the actual News post
  • post.php | Make a new News post (Admin access required)

now in index.php i am doing the following:

$query = "SELECT * FROM news ORDER BY date DESC LIMIT 20";
$run = mysqli_query($connect,$query);
while($row = mysqli_fetch_array($run)) {
    $article_id = $row['article_id'];
    $user_id = $row['user_id'];
    $title = $row['title'];
    $content = $row['content'];
    $date = $row['date'];
    $query = "SELECT username FROM users WHERE ID = '$user_id'";
    $test = mysqli_query($connect,$query);
    $row2 = mysqli_fetch_array($test);
    $user_name = $row2['username'];
    echo '<div class="row">
        <div class="col-lg-12"><h3 class="para"><a class="para" href="article.php?id='.$article_id.'">'.$title.'</a></h3>
        <p class="para">Written by: '.$user_name.'</p>
        </div>
        </div>';
}

as you can see i am echoing out the news posts.
when u click on one of them it takes you to article.php?id=post_id as seen here
i am trying to find a way to get the info to article.php without using GET parameters because that makes it Sqli vulnerable. i know i can secure it at article.php but i would prefer not to use GET requests at all.
the way i am looking to do it is either:

  • send the information to `article.php` through $_SESSION but i don't know how to set the id of the post to `$_SESSION` on the click of the link
  • The way facebook does it, if you go to https://facebook.com/youtube for instance u can see what i mean, they make directories for each user, i know how to make the directories but i have no idea how to make new .php files with the content of the news post.

again, any help appreciated

CBroe
  • 82,033
  • 9
  • 81
  • 132
red security
  • 173
  • 2
  • 12
  • i would just use get, its standard –  Jan 19 '17 at 01:42
  • it would make it sqli vulnerable, i know i can avoid it but i am looking to learn how facebook does it – red security Jan 19 '17 at 01:50
  • it would still be vulnerable if you just use the url pathname, like facebook. the variable would still have to be checked. facebook does not have a directory per user it uses the path in the url the same way you use id=99 –  Jan 19 '17 at 01:52
  • Canyou explain how they hide it then ? – red security Jan 19 '17 at 01:57
  • http://stackoverflow.com/questions/20563772/reference-mod-rewrite-url-rewriting-and-pretty-links-explained –  Jan 19 '17 at 01:58
  • I mena when u go to facebook.com/youtube i am assuming that im actually going to facebook.com/youtube/index.php when google made the account for youtube facebook made a directory named youtube and everything youtube related is under facebook.com/youtube isnt that the case ? – red security Jan 19 '17 at 01:58
  • Bow i get it thank you for the explanation – red security Jan 19 '17 at 02:03
  • nope, it will be in data base, not a directory. i dont think you should bother building your own CMS, when so many good ones exist already –  Jan 19 '17 at 02:03
  • Can you please explain what dab is ? – red security Jan 19 '17 at 02:04
  • 1
    Side note: you aren't using prepared statements and you aren't escaping neither HTML nor URLs, thus you're open to almost all code injections that exist (SQL injection, XSS...). – Álvaro González Jan 19 '17 at 10:08

2 Answers2

0

You can use $_SESSION :) but I don't recommend it

But ir modern systems use pretty urls like http://domain.com/articles/123

You should protect your sql from injections How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
RandomNoobName
  • 79
  • 4
0

Your assumption aren't entirely correct. Using GET is the standard. Otherwise you won't be able to "deeplink". You would have to tell your friend to go to that site, click page fourteen and select the third story in order to view the content.

What you actually want to do is ensure that the data the user send you is clean or not use it directly. As a (poor) pseudo code example take the following code:

$result = mysqli_query("SELECT * FROM news WHERE id = ".GET_['id']);

This would allow a direct SQL injection and would be really HORRIBLE. You could pretty much do whatever with that code by using a GET parameter that includes a int and a semicolon. You you run your own query after that. As an example to change your admin password.

A better approach would be to verify the user data and use a prepared statement.

$newsIDs = mysqli_query("SELECT id FROM news");
$getID = $_GET['id'];
if(in_array($getID,$newsID)){
    $statement = $mysqli->prepare("SELECT * FROM news WHERE id = ?");
    $statement->bind("i", $getID);
    $result = $statement->execute();
}

As for your comparison to facebook, what they're likely doing is use a rewrite rule to bind parameters to variables. So what's really happening is that (at the end of it) index.php?page=youtube&user=someone is being called (if they really do use PHP, it could be any kind of file with any kind of parameters). How rewriting works depends on your webserver.

Seth
  • 1,024
  • 10
  • 26
  • i did it ;) http://news.red-sec.net/article/26/This-is-a-title – red security Jan 19 '17 at 22:43
  • i do have a problem though in another part. when i go to http://red-sec.net/user/badboy17 the css seems to be kinda missing, but when i go to http://red-sec.net/user.php?u=badboy17 any idea why ? – red security Jan 19 '17 at 22:44
  • Both get me a 404. With URL rewriting the browser sees the rewritten URL. As such you would have to let relative links point relative to this "virtual" directory. So if you have style style with `href="css/style1.css"` it would try to find `style1.css` in the directory `/user/css`. By adding a slash upfront you would make it a absolute link. You will have to think about how you want to solve that. There are cons and pros for both approaches. – Seth Jan 20 '17 at 06:17