Redirect to url with hidden parameters

I have had to jump off a validation project Im doing onto something else within the same project, but for some reason Im having a bit of trouble with something that seems so simple.

I want to redirect the user to the next page if theyre log in details match, and take with it the ID of the user, but hidden, but the redirect function isnt being called.

if (data != 0){
var userID = data;
$().redirect('index2.php', {'ID': userID});

If you are using PHP, why aren’t you doing this in PHP? I find if useless to have PHP only do one task, when what you just explained can also be done in PHP. It is also a security flaw when doing any processing on a client side language like Javascript.

The #1 rule is to keep client side language as minimum as possible when you want to process information. The ONLY step that needs client side language is when you want th user to submit information so the only way is to create a form. That’s about it. Everything from redirecting if user is logged in, processing sign up applications, etc should ALWAYS be done in sever-side.

Umm, well, whats happening is my site is registering new clients in a database on a web service, if they register correctly its returns and they can then log in.

On the log in page, the registrant logs in with their details, the details are then checked on the web service and if good it returns with their id and its at that point that if its not eqial to 0 the person is allowed to continue to the next page and I want to take their user id with them, so thats why Im trying to use redirect inside the if equal to function.

You should still be using PHP for this. Here’s a scenario with your idea.

User A comes to your site and attempts to log in. Your code successfully logs User A in with the right credentials. Now User B comes in. However, User B is mischievous and likes to break whatever User B can get their hands on. So instead of attempting to log in, User B plays with your HTML elements to see what ticks and what doesn’t work. User B comes upon your “if user is not logged in”. Usr B then attempts to put in their ID. Success. It redirects User B to whatever page you wanted. User B logs off and attempts with a different ID. Success, now someone’s account has been hijacked.

“Thanks for having such a secure system. My account is stolen.” - User C

Nothing should be processed via client-side. A lot of new beginners think it’s a great idea to stuff raw value of ID inside a hidden field, but that’s actually wrong. Anything that clients can see on their end, they can modify at will and break whatever amateur system you have.

1 Like

I see, ok thanks for this.

So should I within that if statement call a php script in another file and then use that php script to post the variables and send the user to the next page. Is that safer and better practice and what you mean.

I am trying this, but could you give me an idea of what I do with the jquery insde the if statement as below, as its not working at the mo

if (data != 0){
var userID = data;
url: 'redirect.php',
type: 'POST',
data: { ID: userID }

And then in redirect the php page, I am thinking of something like this, but I’m probably totally wrong.

if (!empty($_POST['ID'])){
header('Location: index2.php');

Ahh I dont know, tried this and no luck either, Im doing something wrong here

var userID = data;
$.post('redirect.php', 'ID=' + userID);

In register.php

$value = $_POST['ID'];
echo "I got your value! $value";
//header('Location: index2.php');

I think the point that @spaceshiptrooper was trying to make is that the whole login process should be handled server-side in order to be secure, as any client-side scripting is vulnerable to manipulation by users.

Hi Sam,

Right ok, I see, might have to go back to the drawing board later on then.

Could you see more alright with what im trying to do above for now, and will bring this thread up with the other guys here later.

No. People who say later most likely will NEVER do it. I highly recommend changing it right now while you are getting feedbacks on it. There’s no excuse not to change it while we are telling you that it has lots of security vulnerabilities.

1 Like

Ok I will finish what Im doing (on another bit of the project) and sort this out, as like you say its got to be done and the support is there, so get it done. I’ll be back and cheers

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.