Jump to content


Photo

security, php referrer variable


  • Please log in to reply
12 replies to this topic

#1 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 23 June 2006 - 04:30 PM

Hello all! I've done a lot of PHP coding in the past, and have a "staff" section for the site I'm currently working on, which just has an HTML page which submits the user inputted password to a php file which says if the POST password = the password in the file then it echos the available links (add news, edit/delete news, upload a file, etc.) and when you click on a link, it links to the appropriate page. The problem is that if by chance the URL of a certain page (for instance, the "add a news article" page), they could bypass the password page to add news. The page with links to all of those locations is protected by the initial password, but how would I protect the other pages? I guess I could make an if statement at the beginning of each page I want protected that checks the refferer, like (excuse my ignorance of the php variable for refferrer)

if($PHP_REFER == http://www.PCritics.com/staff/go.php)

{

echo "page contents";

}ELSE{

echo "Please login through the staff page to access this page."

}

Yeah? Whats the php variable for referrer, and what does it contain?
http://www.DaveLinger.com
dave at linger dot com

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 23 June 2006 - 04:59 PM

If you use sessions it'll be much better as the referer variabled can be spoofed and sometimes it is not set by the clients web browser.

So if you have sessions you'll have this block of code:
<?php
session_start();

if(!isset($_SESSION['loggedIn'] || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}

// rest of code here
WHen they login use this:
session_start();
$_SESSION['loggedIn'] = 1;
Thats is a far better way of doing what you want to do.

#3 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 23 June 2006 - 05:23 PM

ok I'll try that
http://www.DaveLinger.com
dave at linger dot com

#4 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 23 June 2006 - 05:34 PM

Parse error: parse error, unexpected T_BOOLEAN_OR, expecting ',' or ')' in /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php on line 8

(thats the "if" line)
http://www.DaveLinger.com
dave at linger dot com

#5 jworisek

jworisek
  • Members
  • PipPipPip
  • Advanced Member
  • 112 posts

Posted 23 June 2006 - 05:37 PM

<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}

// rest of code here

missing a paren after SESSION['loggedIn']

#6 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 23 June 2006 - 05:39 PM

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php:4) in /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php on line 6

http://www.DaveLinger.com
dave at linger dot com

#7 jworisek

jworisek
  • Members
  • PipPipPip
  • Advanced Member
  • 112 posts

Posted 23 June 2006 - 05:51 PM

you must have session_start before any headers are sent... place it at the very start of your script

#8 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 23 June 2006 - 06:02 PM

well, here's my code:

<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}
?>
<html>
<head>
<title>PCritics.com</title>
<?php
include('../../header.php');
?>

//the rest of my code here

and when I access the file directly, it acts like before, like the code isnt there, lets me right in without starting the session =/

actually scratch that it works, but how do I close the session when they're done?
http://www.DaveLinger.com
dave at linger dot com

#9 jworisek

jworisek
  • Members
  • PipPipPip
  • Advanced Member
  • 112 posts

Posted 23 June 2006 - 06:06 PM

so that code is everything on your addevent.php page?

I tried that same code on my server and it worked fine.

[!--quoteo(post=387260:date=Jun 23 2006, 01:02 PM:name=DaveLinger)--][div class=\'quotetop\']QUOTE(DaveLinger @ Jun 23 2006, 01:02 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
well, here's my code:

<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}
?>
<html>
<head>
<title>PCritics.com</title>
<?php
include('../../header.php');
?>

//the rest of my code here

and when I access the file directly, it acts like before, like the code isnt there, lets me right in without starting the session =/

actually scratch that it works, but how do I close the session when they're done?
[/quote]


#10 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 23 June 2006 - 06:28 PM

ends up I just already had the session in firefox, tried it in IE and it worked.
http://www.DaveLinger.com
dave at linger dot com

#11 DaveLinger

DaveLinger
  • Members
  • PipPipPip
  • Advanced Member
  • 268 posts
  • LocationWV, USA

Posted 26 June 2006 - 04:05 PM

how would I END the session?
http://www.DaveLinger.com
dave at linger dot com

#12 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 26 June 2006 - 04:20 PM

Why do you need that?
Anyway, it's done using session_destroy(), or when the browser window is being closed.

Orio.
Think you're smarty?

(Gone until 20 to November)

#13 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 26 June 2006 - 04:22 PM

by closing your browser. or, you can do this:

session_start();
unset($_SESSION['blah']); //explicitly destroy the var
$_SESSION = array(); //reset the entire session array for good measure
session_destroy(); //destroy the session
though, i honestly don't know if this will work with tabbed browsing...
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users