Hi, I want to know if it is possible to hide/encrypt the PHP tags in a URL? For example: www.example.com?product=table Code (markup): It is important to my website that people cannot simply post their own data using external pages, and if hiding the PHP part is possible it would make it a lot more difficult. Thanks, Lee.
Sounds like you want to prevent injection from the GET variable product? If we know that product can only be a few things you could do a couple different checks to validate it before acting on it. I'll assume product will only contain letters, no spaces, numbers or anything else... //if $_GET['product'] only has letters in it, will go on. otherwise display an error if(!preg_match('#[^a-z]#i', $_GET['product'])) { //At this point you can check your database, or whatever you want to make sure product is valid $product = mysql_real_escape_string($_GET['product']); $query = "select product from products where product = '$product'"; $result = mysql_query($query); if(@mysql_num_rows($result) > 0) { //we've found a legitimate product and should display it now } else { //the specified product doesn't seem to exist, you should redirect or display valid product links here } // ** Or if you don't want/need to do a query, if($_GET['product'] == 'table' || $_GET['product'] == 'chair' || $_GET['product'] == 'desk') { //we've found a legitimate product and should display it now } else { //the specified product doesn't seem to exist, you should redirect or display valid product links here } } else echo "Error, invalid product"; //should redirect or display valid product links here Code (markup): -the mole
The code posted by themole is very good indeed. I don't normally see folks using mysql_real_escape_string() - which is highly recommended for all mysql queries. Great job. My additional two cents is that if you have a finite number of acceptable $_GET variables then you can do a simple check to see if it's in the array, before or after the other cleansing shown by themole: $good = array('table', 'chair', 'sofa'); if(!in_array($_GET['product'], $good)) { echo 'Error with data received';/*add better error reporting here*/ exit; } PHP: