doubledee Posted January 4, 2012 Share Posted January 4, 2012 I am going crazy trying to figure out how to get my website to branch properly. My website is set up so that whenever a page is loaded, I store its location in $_SESSION['returnToPage'] This is helpful for things like Logging In. If you are on "Page A" and you go to the "log_in.php", then after being authenticated, you go back to "Page A" - which is where you were - because "log_in.php" redirects you to $_SESSION['returnToPage'] That is fine and dandy except in this scenario... - User is on "article.php?slug=postage-meters-can-save-you-money" - The current page is stored in $_SESSION['returnToPage'] - User wants to add a comment on the above page but isn't logged in - User clicks "Log In" - The "log_in.php" page is displayed - User logs in Normally, the User would be taken back to where they were (i.e. "article.php?slug=postage-meters-can-save-you-money") however, I want the User to be sent to "add_comment.php" so they can add a comment. From that page - if everything goes okay, THEN I redirect to back to $_SESSION['returnToPage'] which is the original Article. Somehow I need a way to know that a User is trying to log in so he/she can add a Comment to an Article and then route him/her to the appropriate "add_comment.php", but I am drawing blanks on how to do this?! Any ideas? Thanks, Debbie P.S. The solution must only use PHP or Apache stuff. (No JavaScript!!) Link to comment Share on other sites More sharing options...
scootstah Posted January 4, 2012 Share Posted January 4, 2012 Why can't you just set the session when they go to add_comment.php? Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 Why can't you just set the session when they go to add_comment.php? I don't follow you?! Let me back up... Because I couldn;t think of an intelligent way to branch, I created two nearly identical files (which I am trying to merge into one)... log_in.php // Check # of Records Returned. if (mysqli_stmt_num_rows($stmt)==1){ // Member was Found. // ****************** // Redirect User. * // ****************** if (isset($_SESSION['returnToPage'])){ header("Location: " . BASE_URL . $_SESSION['returnToPage']); }else{ // Take user to Home Page. header("Location: " . BASE_URL . "index.php"); } And just for the case where a User is on an Article, and needs to log in so he/she can be sent to "add_comment.php"... log_in_c.php if (mysqli_stmt_num_rows($stmt)==1){ // Member was Found. // ****************** // Redirect User. * // ****************** // Redirect to Add Comment form. header("Location: " . WEB_ROOT . 'add_comment.php'); To your question, my log in page needs to be told whether this is a normal log in r a log in in order to allow a user to add a comment. Logically, the only "player" who can do that is the "article.php" page. Although I don't know how?! Make sense?! Debbie Link to comment Share on other sites More sharing options...
scootstah Posted January 4, 2012 Share Posted January 4, 2012 On add_comment.php set $_SESSION['returnToPage'] to add_comment.php Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 I don't like using Query Strings because they look ugly and they make me nervous about hackers seeing what is going on and having and excuse to play with the URL. It seems to me that the following assumption is fairly safe to make... If a user is reading an Article (i.e. on "article.php?....") and they click the "Log In" button in the Comments section - as opposed to the "Log In" link in the Header - then they must be trying to add a comment, and therefore should be re-routed back to whatever Article they were reading before they attempted to Log In". Right?! if that is a safe assumption to make, then in "log_in.php", if I could just look at the URL and determine that there is an "article.php" in the URL, then that should be enough for me to know that my "log_in.php" script needs to redirect to "add_comment.php" versus the normal going back to the pre-log-in page. Right? Debbie Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 On add_comment.php set $_SESSION['returnToPage'] to add_comment.php HUH???????????????? Why would you want to return to "add_comment.php" when you are on "add_comment.php"??? Debbie Link to comment Share on other sites More sharing options...
scootstah Posted January 4, 2012 Share Posted January 4, 2012 On add_comment.php set $_SESSION['returnToPage'] to add_comment.php HUH???????????????? Why would you want to return to "add_comment.php" when you are on "add_comment.php"??? Debbie Because you go to add_comment.php, aren't logged in so you get redirected to login.php, and then get redirected back to add_comment.php after logging in. Making assumptions that the user wants to add a comment just because they logged in while reading an article is a little weird. Don't make assumptions, do things that seem natural and expected. Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 On add_comment.php set $_SESSION['returnToPage'] to add_comment.php HUH???????????????? Why would you want to return to "add_comment.php" when you are on "add_comment.php"??? Debbie Because you go to add_comment.php, aren't logged in so you get redirected to login.php, and then get redirected back to add_comment.php after logging in. I don't think you are following my flow... On the "article.php" page I have a "Comments" section at the bottom of the page. If you are logged in you see an "Add Comment" button. If you are not logged in, you see... To add a comment you must either... *LOG-IN* or *CREATE AN ACCOUNT* If I am not logged in, and I click "Log In" then you wouldn't expect to go to "add-comment.php"... But after you log in, you would expect to be automatically routed to "add_comment.php"... Making assumptions that the user wants to add a comment just because they logged in while reading an article is a little weird. Don't make assumptions, do things that seem natural and expected. Think that was you this time... Debbie Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 This seems to work... // Check # of Records Returned. if (mysqli_stmt_num_rows($stmt)==1){ // Member was Found. // ****************** // Redirect User. * // ****************** $subString="article.php"; if(strpos($_SESSION['returnToPage'], $subString)===FALSE){ // Normal Redirect. if (isset($_SESSION['returnToPage'])){ header("Location: " . BASE_URL . $_SESSION['returnToPage']); }else{ // Take user to Home Page. header("Location: " . BASE_URL . "index.php"); } // End script. exit(); // Add Comment Redirect. }else{ header("Location: " . BASE_URL . "articles/add_comment.php"); } }else{ // Member not Found. }// End of FIND MEMBER RECORD ...and it eliminates my redundant "log_in_c.php" Debbie Link to comment Share on other sites More sharing options...
KevinM1 Posted January 4, 2012 Share Posted January 4, 2012 I don't like using Query Strings because they look ugly and they make me nervous about hackers seeing what is going on and having and excuse to play with the URL. Trust me when I say that pretty URLs are not a security benefit. What you should do is use RESTful principles, harden your db, and be smart about validation, sanitation, and how you structure your queries. Regarding your actual problem, I don't see why you'd want the 'add comment' functionality on a separate page. Unless you're building a forum, you're better off just having a simple WYSIWYG editor at the bottom of your article that posts to itself (article.php). It's a better, proven design. If you insist on keeping the extra page, then you should really view your site navigation in terms of actions with intent. As in, "If someone clicks this link/button, what are they trying to do? And where should the site send them?" Saving their current location isn't enough, as you're seeing. At times, you'll need to capture their desired destination, too. There are different ways to do it, but if you're following RESTful principles, you'd append the destination to a query string. The page acting as the middleman/controller would need to parse and redirect to the destination after whatever necessary middle step was completed. Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 If I am on some "article.php?..." page and click on the "Log In" link in my Header, then instead of routing me back to the Article page that I was on, my new code takes me to the "add-comment.php" page which isn't what I wanted. (That behavior should just work if the use clicks "Log In" from the "Comments" section on any given Article page.) Ugh!! Looks like back to the drawing board... Debbie Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 I don't like using Query Strings because they look ugly and they make me nervous about hackers seeing what is going on and having and excuse to play with the URL. Trust me when I say that pretty URLs are not a security benefit. What you should do is use RESTful principles, harden your db, and be smart about validation, sanitation, and how you structure your queries. What is RESTful? I've heard the term but have no clue what that means. As far as your other suggestions, well, that is why I am here! To be a better web developer. (Obviously I have a long ways to go..) Regarding your actual problem, I don't see why you'd want the 'add comment' functionality on a separate page. Unless you're building a forum, you're better off just having a simple WYSIWYG editor at the bottom of your article that posts to itself (article.php). It's a better, proven design. One obvious reason is that I have a very nice looking site and process flow, and making that seemingly simple change means a hell of a lot of re-work on the HTML/CSS side. I'm not saying I wouldn't consider it down the road, but I think it is smarter to get what I have working versus re-tooling everything. If you insist on keeping the extra page, then you should really view your site navigation in terms of actions with intent. As in, "If someone clicks this link/button, what are they trying to do? And where should the site send them?" Saving their current location isn't enough, as you're seeing. At times, you'll need to capture their desired destination, too. Yes, I am seeing that. (This is one thing I find sooo difficult with web programming. When I dabbled with Visual Basic, it was so much easier to have everything be an "event". Suzy clicks on this button, and all of these events "fire" off.) There are different ways to do it, but if you're following RESTful principles, you'd append the destination to a query string. The page acting as the middleman/controller would need to parse and redirect to the destination after whatever necessary middle step was completed. - So the user is on "article.php?slug=postage-meters-can-save-you-money" - The User clicks on "Log In" - under the "Comments" section - on the above script - The hyperlink behind the "Log In" button would go from... <a href="' . BASE_URL . 'members/log_in.php">Log In</a> ...to... <a href="' . BASE_URL . 'members/log_in.php?addcomment=true">Log In</a> Or something like that? BTW, isn't there any way to do what I want using my Session? Thanks, Debbie Link to comment Share on other sites More sharing options...
KevinM1 Posted January 4, 2012 Share Posted January 4, 2012 REST - Using HTTP as a API. GET and POST (and PUT and DELETE, but those are accessed through raw headers) have meaning. GET should only be used when attempting to retrieve data. It should be used in an inmutable context (meaning that when you use GET, you're not trying to change/edit data with it). Similarly, POST should only be used in creating or updating data. And, yes, you're on the right track with your modified URL. In fact, I say ditch the session for the previous page and add it to the query string, too: site.com/login.php?currentPage=article&destination=comment Then, in login.php: if (isset_GET['destination'])) { // redirect to destination } else { // no destination set, so redirect to currentPage } Link to comment Share on other sites More sharing options...
doubledee Posted January 4, 2012 Author Share Posted January 4, 2012 REST - Using HTTP as a API. GET and POST (and PUT and DELETE, but those are accessed through raw headers) have meaning. GET should only be used when attempting to retrieve data. It should be used in an inmutable context (meaning that when you use GET, you're not trying to change/edit data with it). Similarly, POST should only be used in creating or updating data. And, yes, you're on the right track with your modified URL. In fact, I say ditch the session for the previous page and add it to the query string, too: site.com/login.php?currentPage=article&destination=comment Then, in login.php: if (isset_GET['destination'])) { // redirect to destination } else { // no destination set, so redirect to currentPage } Ugh! It's past my bedtime?! First off, thanks for trying to teach me something new (and possibly better). So, you are saying that there really no security risks in passing things in the URL in plain sight? (At least in this context.) I always worry about people screwing with the URL and Query String and causing my code to go crazy?! And this won't hurt my SEO? (It seems to me like I should just block the bots from pages like "log_in.php" and "add_comment.php"?! It sure does create UGLY URLs... Well, unfortunately I have to go to bed. Hopefully you'll be around tomorrow for follow-up questions. Thanks, Debbie Link to comment Share on other sites More sharing options...
KevinM1 Posted January 4, 2012 Share Posted January 4, 2012 If you're not using the query string data in a query, then there's not much harm that can be done. Keep a white list of legit pages one can go to, and check that the incoming data matches one of them. If it does, redirect. Else, error. There's more danger if the query string data is to be used in a query, but nothing frightening or exotic. Thats where db security comes into play. Use an account OTHER than root, and only give it the minimum privileges it needs to do the job. Validate the data and escape it. Regarding the appearance of the URLs, .htaccess and mod_rewrite can be used to make them look pretty. It can make something like site.com/login/currentPage/destination Perhaps not ideal, but better than the raw query string. As an aside, these kinds of issues highlight the strength of frameworks. They tend to come with route table functionality, mod_rewrite, and navigation helper functions out of the box. Link to comment Share on other sites More sharing options...
trq Posted January 4, 2012 Share Posted January 4, 2012 You have opened at least 3 or 4 variations on this same subject. I for one am a bit over it. Link to comment Share on other sites More sharing options...
Recommended Posts