#native_company# #native_desc#

Preventing URL Arguments

By Kevin J. Menard, Jr.
on August 17, 2000

If you’re like me, you probably took a crack at session-base user auth system. More than likely you found yourself doing something to the extent of:


That worked fine, up until I realized that when I appended an argument to the URL, I could spoof the log-in mechanism (as in http://www.negativetwenty.com/index.php?LOGGED_IN=TRUE).

This obviously is not good. So I consulted my good friend phpinfo() for an answer. As it turns out, this issue is much easier to fix than I would have thought.

Calling upon its vast C roots, PHP has the HTTP_SERVER_VARS of “argc” and “argv” that work just like argc and argv for C command line programs. PHP also stores the current page in an internal variable called PHP_SELF. With that said, I derived the following:

if($HTTP_SERVER_VARS["argc"] != 0) // If someone is trying to pass an argument 
    Header("Location: $PHP_SELF"); // Then reload the page argument-free

blah . . . // Otherwise load page normally

Since this uses internal PHP variables, I believe it is web server independent, but I’m not sure about that. It apparently works fine on apache and IIS, which are the two big web servers in usage today.

Hope this helps someone else out. Let me know if you have any issues with it.