How to secure .htaccess links to user profiles? (vanity url)

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • ilya Kraft
    New Member
    • Jan 2011
    • 134
    #1

    How to secure .htaccess links to user profiles? (vanity url)

    Hello,

    I recently decided to make .htaccess links to my user profiles so they would look something like

    http://mywebsite.com/username

    Right now I am using id to filter users, like this

    http://mywebsite.com/profile.php?id=1

    But I will need to change id to username, like so

    http://mywebsite/profile.php?username=theus er

    And then I would use .htaccess stuff to transform it to example mentioned at the begging.
    Right now I am concerned about security, because when I was using id to filter profile page I used:

    Code:
    $id = preg_replace('#[^0-9]#i', '', $_GET['id']);
    That filtered everything but numbers from id, to make it secure against SQL injection, but now when I filter by username it is not an option.

    I am worried that someone could do something like this:

    http://mywebsite/username, DROPDATABASE

    And that DROPDATABASE thing could screw things up for me.

    So could anyone suggest ideas and if possible examples of securing this? And if you have any questions or do not understand something of what I wrote please ask them ))))

    _______________ _______________ _______________ _______________ _

    This is .htaccess code that I found and would probably use to accomplish my task.

    Code:
    Options +FollowSymLinks 
RewriteEngine On

RewriteCond %{SCRIPT_FILENAME} !-d 
RewriteCond %{SCRIPT_FILENAME} !-f

RewriteRule ^(\w+)$ ./index.php?username=$1
    Tags: htaccess, php, sql injection, vanity url
    • Markus
      Recognized Expert Expert
      • Jun 2007
      • 6092
      #2
      Ideally you would use a library such as PDO which provides prepared statements that are secured against attacks of this nature. In any case, the documentation provides information on protecting yourself against SQL Injection.

        Comment

        • ilya Kraft
          New Member
          • Jan 2011
          • 134
          #3
          Hi,

          Right I did a research about PDO, but I realized that it is too confusing to me, I'm not that advanced yet, just started couple months ago, so if it's not hard could you please tell me more about PDO. I also took a look at link you provided, but it only shows examples of unsecured stuff there, I was not able to find anything helpful. Well maybe this type of securing is too hard for me ))) I might stay with my old system a bit longer...

            Comment

            Previous template Next
            Working...