neoform Posted March 27, 2007 Share Posted March 27, 2007 I have a login script that needs to be able to send the user back to where they were before logging in.. right now I'm using login.php?b=previous_page.php but this leaves me open for abuse from malicious links.. what would be the best way to protect from this sort of thing? I thought about cookies, but i'm not sure how i'd pull that off since i'd have to set a 'referral' cookie on virtually every page for it to know where to go back.. Quote Link to comment Share on other sites More sharing options...
rcorlew Posted March 27, 2007 Share Posted March 27, 2007 I don't know if this is the best way, here is what I am using at the moment to stop most of it, <?php $num_m = preg_match("[href|</A>|</a>|<]", $_SERVER['QUERY_STRING'], $z1, PREG_OFFSET_CAPTURE); if($num_m >= 1){ exit(); } ?> //Rest of page in new <?php ?> brackets I will keep adding stuff to the match as it besomes clear, but I think that should catch most of it. Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted March 27, 2007 Share Posted March 27, 2007 echo $_SERVER['HTTP_REFERER']; Quote Link to comment Share on other sites More sharing options...
Waldir Posted March 27, 2007 Share Posted March 27, 2007 header("Location: ".$_SERVER['HTTP_REFERER']); Quote Link to comment Share on other sites More sharing options...
neoform Posted March 27, 2007 Author Share Posted March 27, 2007 header("Location: ".$_SERVER['HTTP_REFERER']); that wont work if the page they're coming from is an action or something.. or if you actually want them to bounce to a different page.. :S like to track outgoing clicks or something.. (just generalizing, but i'm looking for the most versatile method) Quote Link to comment Share on other sites More sharing options...
Waldir Posted March 27, 2007 Share Posted March 27, 2007 specify which page u want to send them to: header("Location: login.php"); works just as fine Quote Link to comment Share on other sites More sharing options...
neoform Posted March 27, 2007 Author Share Posted March 27, 2007 i think i'mma use this: function make_bounce($url = '') { if (isset($_SERVER['HTTP_REFERER']) && ! $url) $url = $_SERVER['HTTP_REFERER']; make_cookie('bounce', rawurlencode($url)); } function bounce_user() { $url = isset($_COOKIE['bounce']) ? rawurldecode($_COOKIE['bounce']) : ''; kill_cookie('bounce'); if ($url) header('Location: '.$url); } unless someone sees a problem with this sorta method.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.