Home/ Questions/Q 6714531
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T08:30:25+00:00

It’s my first post on here, and I’d just like to thank everyone so

  • 0

It’s my first post on here, and I’d just like to thank everyone so much for everything I’ve learnt from this forum, it’s a fantastic resource!

I made a complete noob mistake and coded my website using a lot of iFrames that load onclick. Then I learnt about SEO. Rather than start from scratch, I tried to find a workaround… I’ve found one that seems to works nicely, but I’m a little concerned about it’s vulnerability to SQL injections, and other scary stuff I know too little about. A lot of the content pages on my website are in PHP and some use MySQL as well.

I tweeked the solution found here http://www.dynamicdrive.com/forums/showthread.php?t=12512, but the site doesn’t seem to deal much with PHP and MySQL, so I thought it would be better to ask my question here instead, and get a fuller picture of how I should be thinking about this. I’d be really grateful for any input. Thank you for reading this far, even if you can’t help!

My concern is that the redirected page generates a URL like:

http://website/?framepage=http://website/folder/index.php

The script for the page with the iFrame (the main page):

<script type="text/javascript">

function loadframe(){
if(window.location.replace)
window.frames.Frame1.location.replace(get('framepage'));
else
window.frames.Frame1.location.href=get('framepage');
}

{
if(window.location.replace)
window.frames.Frame2.location.replace(get('framepage'));
else
window.frames.Frame2.location.href=get('framepage');
}

{
if(window.location.replace)
window.frames.Frame3.location.replace(get('framepage'));
else
window.frames.Frame3.location.href=get('framepage');
}

function get(key_str) {
var query = window.location.search.substr(1);
var pairs = query.split("&");
for(var i = 0; i < pairs.length; i++) {
var pair = pairs[i].split("=");
if(unescape(pair[0]) == key_str)
return unescape(pair[1]);
}
return null;
}
if (location.search&&get('framepage')!=null)
if ( typeof window.addEventListener != "undefined" )
    window.addEventListener( "load", loadframe, false );
else if ( typeof window.attachEvent != "undefined" )
    window.attachEvent( "onload", loadframe );
else {
    if ( window.onload != null ) {
        var oldOnload = window.onload;
        window.onload = function ( e ) {
            oldOnload( e );
            loadframe();
        };
    }
    else
        window.onload = loadframe;
}
</script>

and then script for the content page (to be displayed in the above iFrame):

<script type="text/javascript">
function load_content (page) {
if (window.location==top.location)
if (window.location.replace)
top.location.replace(page+'?framepage='+top.location.href);
else
top.location.href=page+'?framepage='+top.location.href;
}
</script>

not forgetting the html for the content page:

<body onload="load_content('index.html');">
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re not vulnerable to SQL injection there – That code is all in Javascript.

    However there are XSS vulnerabilities, I’d recommend validating that the URL is an actual URL first before displaying it.

    • 0