0

Is it still secure to have urls like:

http://www.website.eu/product.php?id_product=916

If not, what are security cons? Can someone please point me a link on updated information about this practice regarding security.

Thank you

Improve this question
2
  • 4
    It's as secure as the underlying script and its supporting software/hardware is. If you keep the server's software up to date and take every measure in the code to avoid malicious use then it's perfectly secure. If you're hinting that you want to hide the .php extension, it's entirely possible to do so but in no way will it improve your server's security. Security through obscurity just doesn't work. Commented Jan 16, 2014 at 14:07
  • @GordonM, very convincing answer. thanks Commented Jan 16, 2014 at 14:08

2 Answers 2

Reset to default
1

There's no security cons as far as I know. As long as your code sanitises all user input and you don't leak sensitive info like file paths or queries when an error occurs, you should be fine. Just be sure to block all access to directories where users should not be, such as your libraries or configuration directories.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The most basic thing that you can do here is convert this to lofical URL instead of a physical URL which it is right now. 

physical URL - http://www.website.eu/product.php?id_product=916
Logical URL  - http://www.website.eu/product/916

This would expose only the needed things and not the complete implementation style of the code.

To do this you will have to make some minor changes to the .htaccess file of the folder where product.php is present.

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^product/$ product.php?product_id=$1 [NC]
Improve this answer

4 Comments

This doesn't make sense. If you want to do a SQL injection you don't need to know that the $_GET parameter is 'id_product' because it's automatically set in the script. With or without URL rewriting you've the same script. $product_id = $_GET['product_id']; in both cases.
But it is still better to not expose the exact physical URL of the file.
Thank you @AkshatGoel for the suggestion, it is a good enhancement (to do not expose the exact physical URL). However GuyT remark is right.
@whitelettersandblankspaces - You're welcome. I agree that this wont prevent a SQL injection.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.