Jump to content

security, php referrer variable


DaveLinger

Recommended Posts

Hello all! I've done a lot of PHP coding in the past, and have a "staff" section for the site I'm currently working on, which just has an HTML page which submits the user inputted password to a php file which says if the POST password = the password in the file then it echos the available links (add news, edit/delete news, upload a file, etc.) and when you click on a link, it links to the appropriate page. The problem is that if by chance the URL of a certain page (for instance, the "add a news article" page), they could bypass the password page to add news. The page with links to all of those locations is protected by the initial password, but how would I protect the other pages? I guess I could make an if statement at the beginning of each page I want protected that checks the refferer, like (excuse my ignorance of the php variable for refferrer)

[code]if($PHP_REFER == http://www.PCritics.com/staff/go.php)

{

echo "page contents";

}ELSE{

echo "Please login through the staff page to access this page."

}[/code]

Yeah? Whats the php variable for referrer, and what does it contain?
Link to comment
Share on other sites

If you use sessions it'll be much better as the referer variabled can be spoofed and sometimes it is not set by the clients web browser.

So if you have sessions you'll have this block of code:
[code]<?php
session_start();

if(!isset($_SESSION['loggedIn'] || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}

// rest of code here[/code]
WHen they login use this:
[code]session_start();
$_SESSION['loggedIn'] = 1;[/code]
Thats is a far better way of doing what you want to do.
Link to comment
Share on other sites

[code]
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php:4) in /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php on line 6[/code]
Link to comment
Share on other sites

well, here's my code:

[code]
<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}
?>
<html>
<head>
<title>PCritics.com</title>
<?php
include('../../header.php');
?>

//the rest of my code here[/code]

and when I access the file directly, it acts like before, like the code isnt there, lets me right in without starting the session =/

actually scratch that it works, but how do I close the session when they're done?
Link to comment
Share on other sites

so that code is everything on your addevent.php page?

I tried that same code on my server and it worked fine.

[!--quoteo(post=387260:date=Jun 23 2006, 01:02 PM:name=DaveLinger)--][div class=\'quotetop\']QUOTE(DaveLinger @ Jun 23 2006, 01:02 PM) [snapback]387260[/snapback][/div][div class=\'quotemain\'][!--quotec--]
well, here's my code:

[code]
<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}
?>
<html>
<head>
<title>PCritics.com</title>
<?php
include('../../header.php');
?>

//the rest of my code here[/code]

and when I access the file directly, it acts like before, like the code isnt there, lets me right in without starting the session =/

actually scratch that it works, but how do I close the session when they're done?
[/quote]
Link to comment
Share on other sites

by closing your browser. or, you can do this:

[code]
session_start();
unset($_SESSION['blah']); //explicitly destroy the var
$_SESSION = array(); //reset the entire session array for good measure
session_destroy(); //destroy the session
[/code]
though, i honestly don't know if this will work with tabbed browsing...
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.