Jump to content

Security passing variables through browser

jmayer

By jmayer
in Application Design

 Share

Recommended Posts

jmayer Newbie

jmayer

Posted
Posted

Right now I am using sessions for a login with something like this at the top of each page

 

	session_start();
if(!isset($_SESSION['auth']) && !isset($_SESSION['admin'])){
	session_destroy();
	header("Location: http://localhost/web/");
}elseif(isset($_SESSION['auth']) && !isset($_SESSION['admin'])){
	session_destroy();
	header("Location: http://localhost/web/");
}

 

Now if you tried to go to one of these pages while not being logged in, it redirects you back to the homepage.

However, on some pages like this I pass variables through the URL such as edit_menu?id=10&action=delete.  This code is included in the header of the page.  The problem is, even when I am not logged in, I can type in the url with variables passed through it and it will perform the action and THEN redirect me back to the home page.  It seems to run all the code in the header before redirecting.

 

What would be the best way to deal with this, register all variables to the session? Or would just putting the functions down in the body of the page work?

 

Thanks

trq Prolific Member

trq

Posted
Posted

You need to place an exit() after any calls to header to stop the rest of the script being executed.

 

<?php

  session_start();
  if (!isset($_SESSION['auth']) && !isset($_SESSION['admin'])) {
    session_destroy();
    header("Location: http://localhost/web/");
    exit();
  } elseif (isset($_SESSION['auth']) && !isset($_SESSION['admin'])) {
    session_destroy();
    header("Location: http://localhost/web/");
    exit();
  }

?>

Daniel0 Advanced Member

Daniel0

Posted
Posted

[...] cuase for some reason the script does not always seem to stop after the header();

 

That's because you don't tell it to. PHP does not care what headers you send, it just sends them. PHP is not the thing redirecting, nor is it the web server. It's the browser. The Location header just tells the browser to go somewhere, but the browser can choose to not do so.

trq Prolific Member

trq

Posted
Posted
When using the PHP header() function, it includes the content of the page specified

 

No, the header function simply sends a header to the browser and keeps on executing the script. If you happen to send a Location header, the browser will redirect to that page.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.