jmayer Posted January 28, 2008 Share Posted January 28, 2008 Right now I am using sessions for a login with something like this at the top of each page session_start(); if(!isset($_SESSION['auth']) && !isset($_SESSION['admin'])){ session_destroy(); header("Location: http://localhost/web/"); }elseif(isset($_SESSION['auth']) && !isset($_SESSION['admin'])){ session_destroy(); header("Location: http://localhost/web/"); } Now if you tried to go to one of these pages while not being logged in, it redirects you back to the homepage. However, on some pages like this I pass variables through the URL such as edit_menu?id=10&action=delete. This code is included in the header of the page. The problem is, even when I am not logged in, I can type in the url with variables passed through it and it will perform the action and THEN redirect me back to the home page. It seems to run all the code in the header before redirecting. What would be the best way to deal with this, register all variables to the session? Or would just putting the functions down in the body of the page work? Thanks Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/ Share on other sites More sharing options...
trq Posted January 28, 2008 Share Posted January 28, 2008 You need to place an exit() after any calls to header to stop the rest of the script being executed. <?php session_start(); if (!isset($_SESSION['auth']) && !isset($_SESSION['admin'])) { session_destroy(); header("Location: http://localhost/web/"); exit(); } elseif (isset($_SESSION['auth']) && !isset($_SESSION['admin'])) { session_destroy(); header("Location: http://localhost/web/"); exit(); } ?> Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/#findComment-451583 Share on other sites More sharing options...
Liquid Fire Posted January 29, 2008 Share Posted January 29, 2008 yea it good practice to use exit() after a header redirect cuase for some reason the script does not always seem to stop after the header(); Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/#findComment-451778 Share on other sites More sharing options...
Daniel0 Posted January 29, 2008 Share Posted January 29, 2008 [...] cuase for some reason the script does not always seem to stop after the header(); That's because you don't tell it to. PHP does not care what headers you send, it just sends them. PHP is not the thing redirecting, nor is it the web server. It's the browser. The Location header just tells the browser to go somewhere, but the browser can choose to not do so. Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/#findComment-452655 Share on other sites More sharing options...
Lukela Posted February 2, 2008 Share Posted February 2, 2008 Wow, I learned something new today in PHP. exit(); Haha... Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/#findComment-456002 Share on other sites More sharing options...
Guardian-Mage Posted February 4, 2008 Share Posted February 4, 2008 When using the PHP header() function, it includes the content of the page specified, and executes the rest of the code in BOTH pages. Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/#findComment-457623 Share on other sites More sharing options...
trq Posted February 4, 2008 Share Posted February 4, 2008 When using the PHP header() function, it includes the content of the page specified No, the header function simply sends a header to the browser and keeps on executing the script. If you happen to send a Location header, the browser will redirect to that page. Link to comment https://forums.phpfreaks.com/topic/88251-security-passing-variables-through-browser/#findComment-457680 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.