Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Jason Bradley
Jason Bradley
Courses Plus Student 7,219 Points

Faking out GET variables

In learning to write PHP the course suggested setting a variable within the GET object to check status. What's to stop someone from faking out the URL and adding a variable manually in the URL?

For example: /contact.php?status=thanks will direct you to the thank you page having never submitted an e-mail. Is there anyway to detect this and route back to the contact page? Would it be detecting a POST?

Thanks,

Jason

3 Answers

Richard Crawford-Wilson
Richard Crawford-Wilson
6,094 Points
Richard Crawford-Wilson
Richard Crawford-Wilson
6,094 Points

Exactly what Adam said. Get allows you to save state in a link. For example some modular designs would be like:

www.example.com/?module=friends

And thats how you would display the friends page. You could save this as a link to link directly to the friends page. POST is more secure, but can still be sniffed out. Essentially the page that receives these GET or POST requests is tasked with validating their integrity, my example is not really a security gap. But more secure examples would send passwords encrypted, or send get/post requests with authenticity tokens generated by the backend only good for one request (as is the case with: Click here to reset your password links in emails). The server side application will validate whether the POST or GET request should indeed be processed or not.

Another way sites do this is with cookies, and sessions (either stored in cookies or in the database) to validate the user has access to certain requests or not.

Randy Hoyt
STAFF
Randy Hoyt
Treehouse Guest Teacher
Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher

Jason, You are correct that people can fake out the web address on a thank you page. But there's not any harm in that. In some cases, it can even be desirable. If you have a hilarious thank you page that someone might want to share with someone, they can copy the link and paste it into Twitter and all their friends can see it.

The reason to use GET over POST for displaying the confirmation page is the issue with navigation. (I talk about this in the video.) Two examples:

  • Imagine the thank you page uses POST and someone refreshes it. The browser will ask them if they want to resubmit the form, and (if they do) it will send another email.
  • Also, imagine you have a list of links on the confirmation page. Imagine someone clicks the first one, looks at the page, and then clicks back to get to the list again. The same thing will happen.

You do need POST for receiving the form submission and sending the email (as Adam mentions) but you then want to redirect away from the post to display the confirmation page. You can redirect directly to thanks.php page, or you can redirect to a page that uses a GET variable. Both approaches can be faked by entering the proper URL, but both approaches avoid these problems.

Does that help?

Jason Bradley
Jason Bradley
Courses Plus Student 7,219 Points

Yes, this helps.

I was wondering if it was acceptable, within a production environment for example, to allow people to type in the URL for the thank you page (/contact.php?status=thanks) and go directly to the thank you page without ever having sent an e-mail. It seems a bit odd to me but if this is a "social acceptable" way of developing php sites I'll take it.

I was thinking you could somehow catch that a user entered the URL manually, having never submitted an contact form, and route them back to the contact page. But I haven't figured out how to do that just yet.

Jason

Adam Moore
Adam Moore
15,825 Points
Adam Moore
Adam Moore
15,825 Points

That's actually why POST is a better and more secure way to send info. There are ways you can use GET more securely but POST is better for sending info to your app or backend.