All depends on how the data is used after it's interpreted/split: http://www.example.com/index.php/edit/customer/1234 $action = "edit"; $type = "customer"; $id = "1234"; header("Location: http://www.example.com/index.php?action=$action&type=$type&id=$id";); In this case, what happens if someone does: http://www.example.com/index.php/edit/customer/1234&adminaccess=1 $action = "edit"; $type = "customer"; $id = "1234&adminaccess=1"; header("Location: http://www.example.com/index.php?action=$action&type=$type&id=$id";); redirects to: http://www.example.com/index.php?action=edit&type=customer&id=1234&adminaccess=1 Or if that data was used in a SQL query, you could open yourself up to a SQL injection attack.... basically all the kind of concerns you have when handling user input in general, but you have to ask yourself "What could someone do is they manually entered a URL instead of just clicking on a link that we generated... what other data is passed via $_GET vars or other data that's affected by the pre-rewrite URL). Maybe your stuff is ok... maybe the worst that happens is it looks for an id of "1234&adminaccess=1" and doesn't find it. Security tends to involve dealing with what we know is a security risk... while hacking (the illegal kind) is only limited by the imagination and skill of the hacker. So good security relies on as much imagination and creativity as you can conjure up and hopefully it's more than the hacker trying to poke at your system. :) In other words, ALWAYS think of the worst-case scenario when thinking about security... isolate, restrict and scrub your input vigorously..hah -TG And you split on the forward slash.. you might get: = = = Original message = = = No arguments here ;-). For what it's worth, I've used this technique just to simply clean up the url's a bit. With that in mind, I usually don't need to do a terrible amount of scrubbing because I'm using the variables in the url more for navigation. So http://www.example.com/index.php/edit/customer/1234simply tells my script to display a form that will allow the user to edit customer 1234, if the first sections of $_SERVER['PATH_INFO'] isn't exactly what I'm expecting then I moce on to whatever the default action is (except of course for the customer id at the end). Really this isn't any different than http://www.example.com/index.php?action=edit&type=customer&id=1234 in terms of security. If I'm wrong someone please let me know as I do use this technique quite a bit. - Joe ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
