Is url.com?somephpcode vulnerable to anything from my code?

Question

I never knew how to use the php code after the web url "?", and I don't even know what's the name of that...However, when the user failed to log in, I did something like this

//Failed login
header('Location: login?error_login');

and then the login page is:

if($_SERVER['REQUEST_URI'] == "/login?error_login"{
echo "you have submitted invalid login information";
}

The reason why I did it is that I have login form in the index so the user can log in from index page and don't have to go to login page, and well it works, but is this somekind vulnerable to anything in my php? Or better question so I don't get too many downvotes: What is the better way to perform something like this? Thanks.

I'm not using .php in urls as I removed it from .htaccess... writing it just in case you would try to correct my "login?error_login" to "login.php?error_login"...

Answer 1

The string after ? is a query string that can be get with $_SERVER['QUERY_STRING'].

What is the better way to perform something like this?

There's no better way and it's just depends on a personal choice, for me I will try to implement it in the model–view–controller (MVC) way.

But when I'm not passing anything from the url, is it still bad idea?

A client can pass any valid query string from the URL but there's still no bad idea by doing that, just make sure there's no vulnerability on your script that takes a query string such this:

...
$conn = new mysqli($servername, $username, $password, $dbname);
$unsafe_query = $_SERVER['QUERY_STRING'];

// Vulnerable
$sql = "SELECT $unsafe_query";
$result = $conn->query($sql);

...
$conn->close();

One of the easiest way to get rid of this is to use mysqli_real_escape_string():

...
$unsafe_query = $_SERVER['QUERY_STRING'];
$safe_query = mysqli_real_escape_string($unsafe_query);

// Safe
$sql = "SELECT $safe_query";
$result = $conn->query($sql);
...

Answer 2

(i am writing this as an answer for future readers)

The use of a query string in this specific example is not unsafe. For many other examples, it might be, though.
The query string could be user input, and thus has to be treated as untrustworthy.

In your case, the worst that could happen is that a user messing with the query string would get weird resulst. This is their own problem, though, and need not concern you much (this is my opinion).

In any case where you would use the contents of the query string anywhere else in your code, say for a database query or any more interesting logic, you would at least have to sanitize it and verify it's plausibility.

On the other hand, you could also transport this information inside a session. That would allow for much more robustness, and it would not give away information about your code to a potential attacker.

Answer 3

The part of the url after the ? is the query string. It's useful for passing in additional information that is relevant to the requested resource. It can be accessed through the PHP global array $_GET

See the manual page here: http://php.net/manual/en/reserved.variables.get.php

If you wish to send information without it being in the url, look at $_POST.

Here's it's manual page: http://php.net/manual/en/reserved.variables.post.php

Bare in mind that anything requesting a specific resource (eg, get information about album 6) should be in the url in some form. Something like error_login could be either, though it is easier to implement as part of the url.