SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Jul 2006
    Location
    Closer than you think
    Posts
    149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Redirect and $_SERVER['Request_URI']

    I am trying to allow a redirect after logging in which is great when I have one variable.

    On Page1.php I have

    PHP Code:
    if ($_SESSION['loggedin'] != yes)
    {
    header("Location:LogIn.php?r=".$_SERVER['REQUEST_URI']);

    On the Login.php Page
    PHP Code:
    ...
    if (
    $SuccessfulLogin && isset($_GET['r']))
    {
    header("Location:".$_GET['r'])

    Ignore any typos. The Redirect Works Great except when more the one Variable is in the URL

    ex. Page1.php?val1=1&val2=1

    It will redirect me to Page1.php?val=1

    Obvious when I am redirected to the login it's not copying correctly

    Login.php?r=/page1.php?val1=Page1.php?val1=1&val2=1

    $_GET['r'] is equal to /page1.php?val1=Page1.php?val1 The & is starting another Variable.

    Any suggestions on this?
    Live Well.

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    if ($_SESSION['loggedin'] != yes)
    {
    header("Location:LogIn.php?r=".urlencode($_SERVER['REQUEST_URI']));

    Saul

  3. #3
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    dont forget to call exit(); after sending a redirect header unless you want your script to continue executing.

  4. #4
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by WeakestLink
    header("Location:".$_GET['r'])
    This code is questionable for two reasons.

    Redirect to a relative url is a violation of the HTTP standard which states you must use only absolute urls (starting with protocol and host name).

    Direct ouputting unfiltered user input is always a security concern. You should at least validate request parameter to make sure it is really what you expect it to be.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •