homepage Welcome to WebmasterWorld Guest from 54.196.168.78
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
http referer and php header
Mr_Cat




msg:4416219
 11:22 am on Feb 10, 2012 (gmt 0)

Hi folks,

I'm having trouble with the final icing on the cake of my little email system I've bashed together.

It's all simple enough code but I can't fathom this one. Funnily the problem lays in my login script, the one bit I never wrote myself, typical.

here's the verify code on top of every page.


// let's call the database connection

// done

session_start();

$user_check = $_SESSION['login_user'];

$ses_query = mysql_query("SELECT member_name, member_ID, member_email FROM members WHERE member_name = '$user_check' ");

$row = mysql_fetch_array($ses_query);

$member_name = $row['member_name'];
$member_ID = $row['member_ID'];
$member_email = $row['member_email'];

if(!isset($member_name))
{
header("Location: http://www.website.com/login/login.php");
}

// they're safe
?>


now login.php


<?php

// let's call the database connection

// done

session_start();

if($_SERVER["REQUEST_METHOD"] == "POST"){

// username and password sent from Form

$myusername = addslashes($_POST['username']);
$mypassword = addslashes($_POST['password']);

$query = "SELECT member_ID FROM members WHERE member_name = '$myusername' and member_pw = '$mypassword'";
$result = mysql_query($query);
$row = mysql_fetch_array($result);

$count = mysql_num_rows($result);
$member_ID = $row['member_ID'];


// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
session_register("myusername");
$_SESSION['login_user'] = $myusername;


header("location: http://www.website.com/index.php");
} // end if
else{

$error = "Your Login Name or Password is invalid";
} // end else
} // end if


?>

// login form here


The trouble is if someone post a message at website.com/page2.php, says they want notification of replies, gets a reply in their email and a link saying 'view it at www.website.com/page2.php' they click the link, have to log in and then get directed to the index page. That's a bit rubbish, I need to redirec them to wherever they want to be, which could be page2, page 3 etc.

I've tried setting up a string containing $_SERVER http referer so I can then say header("location: ".$referer.""); but nothing I've tried seems to work...any ideas?

 

penders




msg:4416223
 11:56 am on Feb 10, 2012 (gmt 0)

I've tried setting up a string containing $_SERVER http referer so I can then say header("location: ".$referer.""); but nothing I've tried seems to work...


Almost, you need to save it in the session...

$_SESSION['referer'] = $_SERVER['HTTP_REFERER']; 
:
header('Location: '.$_SESSION['referer']);

g1smd




msg:4416224
 12:13 pm on Feb 10, 2012 (gmt 0)

What if referer is blank?

Isn't referer disabled for POST requests?

Also, don't include the index.php bit as a part of the URL you link or redirect to. The canonical form ends with a trailing slash.

penders




msg:4416238
 12:49 pm on Feb 10, 2012 (gmt 0)

Isn't referer disabled for POST requests?


The referer should be saved in the session before the POST request, when the login form is first displayed. And should not be overwritten if the referer is blank (the page is refreshed etc.)

But yes, this is not ideal. The referer could be blank in the beginning, so you would have no choice but to be redirected to the index page on success in this instance.

An alternative would be to store the current URL before being redirected to the login page rather than checking the referer on the login page. This would probably be the better approach.

Mr_Cat




msg:4416362
 6:24 pm on Feb 10, 2012 (gmt 0)

Ha, that was my first attempt, store the url before the redirect to login but obviosly I didn't quite hit the mark. I'll give it another bash and post some either successful or unsuccessful code later!

It's very reasuring penders you've just chucked my own attempt back at me, given that I just took a random guess at the best way, and that you've been godlike before in some of my posts, you'll be getting credit in some comments somewhere :D

Thanks!

Mr_Cat




msg:4416376
 7:07 pm on Feb 10, 2012 (gmt 0)

Ok, here it is, still not working, grrr.

new verify -


// let's call the database connection

// done

session_start();

$user_check = $_SESSION['login_user'];
$_SESSION['referer'] = $_SERVER['HTTP_REFERER'];

$ses_query = mysql_query("SELECT member_name, member_ID, member_email FROM members WHERE member_name = '$user_check' ");

$row = mysql_fetch_array($ses_query);

$member_name = $row['member_name'];
$member_ID = $row['member_ID'];
$member_email = $row['member_email'];

if(!isset($member_name))
{
header("Location: http://www.website.com/login/login.php");
}

// they're safe
?>


now the new login -


<?php

// let's call the database connection

// done

session_start();

if($_SERVER["REQUEST_METHOD"] == "POST"){

// username and password sent from Form

$myusername = addslashes($_POST['username']);
$mypassword = addslashes($_POST['password']);

$query = "SELECT member_ID FROM members WHERE member_name = '$myusername' and member_pw = '$mypassword'";
$result = mysql_query($query);
$row = mysql_fetch_array($result);

$count = mysql_num_rows($result);
$member_ID = $row['member_ID'];


// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
session_register("myusername");
$_SESSION['login_user'] = $myusername;


header("location: " . $_SESSION['referer']);
} // end if
else{

$error = "Your Login Name or Password is invalid";
} // end else
} // end if

?>

// login form here



What does this code do? It sends me to the base directory list of website.com/login (don't even talk to me about security yet please :)

...but I don't know why?

Also tried:


if($count==1){
session_register("myusername");
$_SESSION['login_user'] = $myusername;
$_SESSION['referer'] = $_SERVER['HTTP_REFERER'];

header("location: " . $_SESSION['referer']);


...which just reproduces the login script/form/page every time even with correct details entered several times.

This is really frustrating me because the whole system is rubbish without that tiny tweak. I know it'll be something small I'll kick myself about later but what the .. is it?

Mr_Cat




msg:4416834
 8:22 pm on Feb 12, 2012 (gmt 0)

Right!

Job done, and what a palava.

Here's how, and if you have a sleeker method please do tell.

In verify.php on every page I have:



$document = $_SERVER['PHP_SELF'];
$host = $_SERVER['HTTP_HOST'];
$querystring = '?'.$_SERVER['QUERY_STRING'];
$fullpath = $host.$document.$querystring;

session_start();

$user_check = $_SESSION['login_user'];
$_SESSION['referer'] = $fullpath;



then obviously and simply in login.php it's:

header("location: http://".$_SESSION['referer']);

I feel very proud now so any pats on the back most welcome along with sleeker methods.

The problem was the referer was just plain empty no matter what I did. No idea why, but this works a treat.

Cheers folks

coopster




msg:4417737
 3:41 am on Feb 15, 2012 (gmt 0)

Close, but never trust user-supplied input. PHP_SELF is an index that can be manipulated by the user and needs to have, at bare minimum, strip_tags() applied.

You are correct in that you can construct the desired page upon user landing and realizing that they are not authenticated. Building the proper referer and storing it in the SESSION is a common practice to bring the user to the desired page upon authentication. The HTTP_REFERER is not reliable as users may configure their browser/computer to not submit or show the header variable. I prefer to build the referer from the page that is responding to the request. After the user has authenticated you can once again check the userid/username for proper access to said page as well.

Mr_Cat




msg:4418139
 6:39 pm on Feb 15, 2012 (gmt 0)

Ah yes cheers, I have wondered about that, but security isn't a subject I've broached too much yet.

I'm not quite sure what you mean by building the referer from the page responding to the request etc tho. I kind of thought that's what I was doing with the top bit of code on the top of every page :s

coopster




msg:4418473
 8:29 pm on Feb 16, 2012 (gmt 0)

You are, I'm just advising you to scrub that PHP_SELF value before you use it in the landing script as it is user-supplied data and cannot be trusted. The REQUEST_URI is what I tend to use because of my server configuration. PHP_SELF is different than the REQUEST_URI. The REQUEST_URI is also user-supplied as it can be set in the browser address bar.

Set yourself up with a test page and hit it with a bunch of different combinations so you can see the subtle differences in your server variables. And search for "PHP_SELF security" to discover more about the vulnerabilities of using it in your HTML output, headers, etc. including your redirects.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved