dadamssg Posted March 29, 2009 Share Posted March 29, 2009 im writing a register confirmation script. it checks the variables in the url via $_GET against whats in the db. if they match the user gets confirmed. it works fine. so for example this is what my url would look like http://www.mysite.php?uu=hello&[email protected]&ch=2swet3sd5siys25dgvcbmsdg5 after i click the link and it gets confirmed it will send me to my homepage logged in. well i just noticed that if i just type in and go to http://www.mysite.php?confirm.php it will also log me in, but with a blank username ect. it will grant me the rights to access certain pages as it should if im 'logged in' i want to make sure i have variables in the url and then i want to make sure theyre not blank, so i have this but its not working(still sends me logged in) //if each below isn't there redirect $uu = clean_data($_GET["uu"]); $ee = clean_data($_GET["ee"]); $ch = clean_data($_GET["ch"]); if(!isset($uu)) {header("Location: http://www.mysite.com");} if(!isset($ee)) {header("Location: http://www.mysite.com");} if(!isset($ch)) {header("Location: http://www.mysite.com");} if($uu == "") {header("Location: http://www.mysite.com");} if($ee == "") {header("Location: http://www.mysite.com");} if($ch == "") {header("Location: http://www.mysite.com");} clean_data() strips the tags and trims the data any advice? Quote Link to comment https://forums.phpfreaks.com/topic/151630-solved-redirect-if-_gets-arent-there/ Share on other sites More sharing options...
wildteen88 Posted March 29, 2009 Share Posted March 29, 2009 Your code can be written as if(!isset($_GET["uu"], $_GET["ee"], $_GET["ch"]) && empty($_GET["uu"]) && empty($_GET["ee"]) && empty($_GET["ch"])) { header("Location: http://www.mysite.com"); } $uu = clean_data($_GET["uu"]); $ee = clean_data($_GET["ee"]); $ch = clean_data($_GET["ch"]); Quote Link to comment https://forums.phpfreaks.com/topic/151630-solved-redirect-if-_gets-arent-there/#findComment-796330 Share on other sites More sharing options...
genericnumber1 Posted March 29, 2009 Share Posted March 29, 2009 No offense, but if people can get privileged into your website via a blank query string, there are definitely bigger problems than this you should be worrying about. On that note, You immediately set $uu then check if it is set... It will always be set unless clean_data returns null... so those lines are superfluous, and I don't really see why you had them there in the first place. After you do a header redirect you should always tell your script to die because execution of the script will continue if you do not. Quote Link to comment https://forums.phpfreaks.com/topic/151630-solved-redirect-if-_gets-arent-there/#findComment-796336 Share on other sites More sharing options...
dadamssg Posted March 29, 2009 Author Share Posted March 29, 2009 hey thanks for the quick responses, works now ...yeah im definitely still learning and the only way to login was the confirm script and the login script which have now been fixed, so thanks for that! i didn't even think to use die or exit in my confirm script...super glad you pointed that out Quote Link to comment https://forums.phpfreaks.com/topic/151630-solved-redirect-if-_gets-arent-there/#findComment-796341 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.