I know how to work with PHP page navigation, but is it safe to use them or not really?

Examples:

www.yoursite.com/somepage.php?id=folder&page=pagename

www.yoursite.com/?id=folder&page=pagename

Safe in what way? The id query will stop many search engines in their tracks (they interpret it as a session id, and they'll go away). So you'll want to use something else instead of id. But there's nothing about these types of links that will make your site inherently insecure, if that's what you're wondering.

Yeah, I plan on putting something else in place of "id".

I just mean if these links are in some way hackable. I just remember someone saying on a different board about how hackers try to do certain things with these links [whatever they may be], but no one else seemed to have a problem using these links, so.

I think you'll find the answers you're looking for in this thread:

http://www.webhostingtalk.com/showthread.php?s=&threadid=289653

Yes, you have to be careful to code your inclusions properly.

Thanks for that link. I went to another site someone linked to in that post as well. Sounds like a bad idea.

Looks like I should use mod_rewrite. I'm still sort of learning that in this area.

Have you considered Server Side Includes (SSI)? They may be the solution you're after. I know PHP inclusions are 'server side', but SSI is a different technology.

Originally posted by Shaliza
Thanks for that link. I went to another site someone linked to in that post as well. Sounds like a bad idea.

Looks like I should use mod_rewrite. I'm still sort of learning that in this area.

There is nothing bad or wrong about using $_GET vars to sort out page inclusions, it's done all the time. When using mod_rewrite all you are doing is the same thing, just masking it, doesn't make it any safer.

The point is to make sure you DO NOT do things like this:

include ($_GET['page']); or include($page); with register_globals on.

or

$sql = "SELECT * FROM sometable where id='$_GET['id']'";

for example. These are bad.

etc... basically don't let a url string have that kind of access on your site and always have a default.

My advice is to always strip_tags and trim any $_GET urls and I prefer to use a switch/case statement so you explicitly define what is acceptable, with a default in case none is met.

Yeah, I've used SSI before. Wasn't fond of them.

Good advice, Marble. I've decided not to use this anymore. I'll keep that in mind for a friend of mine though.

I pretty much want my url's to be like this: www.site.com/sub/content/morecontent