I am working on pages which are secured so no-one can link to that page using this:
Code below is called inside a loop.
$gentok = uniqid();
if(isset($_GET["action"]) && $_GET["action"] == "clean_$gentok") {
// stuff
}
Then, I have this to call the URL:
Clean this and that
But when clicking the link, the page refreshes and the uniqid() has already changed.
How can I make it so the uniqid() is still the same after the page refresh? I'm open for any changes or better ideas you may have.
Thank you!
Posting this as a community wiki since I've nothing to gain from this.
My suggestion in comments about using a nonce brought the OP to use the WordPress version of a nonce as their solution.
Reference:
https://codex.wordpress.org/WordPress_Nonces
Sidenote: To be honest, I was not aware that WordPress had one and found that reference link on the Internet.
My original reference:
How to create and use nonces
Additional reference:
Wiki page: http://en.wikipedia.org/wiki/Cryptographic_nonce
Use session for this. Put your unique ID in session array
session_start();
$_SESSION['gentok'] = uniqid();
if (isset($_GET["action"]) && $_GET["action"] == "clean_" . $_SESSION['gentok']) {
// stuff
}
In your display
session_start();
Clean this and that
When you creating a session set a value so every time that page loads it will check is your session for the value. Else you will redirect......you would put the code on top. If($_SESSION['sesname']!=$value]{header location}
You would pit this at the top of the page so it performs the check
OR
If you want a unique name then just put something that people want easily guess and don't link it any where
Related
I need on each page check if cookies are enabled.And use this code.
<?php
setcookie('COOK_CHK',uniqid(),time()+60*60*24);
if(!isset($_COOKIE['COOK_CHK'])){
echo"Cookies are disabled!";
exit;
}
session_start();
?>
However on the first check it gives me false until i don't refresh the page.I include this code in each page so can not redirect every time i load the page as it reduces performance.However i want to use it even if javascript is disabled.Any suggestions?
Can you use javascript? If so, all it takes is a check at the navigator.cookieEnabled variable.
It works in most modern browsers. You can read more about it here: http://www.w3schools.com/jsref/prop_nav_cookieenabled.asp
It's not possible because Cookies are in the browser, and PHP send them when the page has render, so will be available just in the second page.
A possible way to fix this is using javascript.
If you really should do it in PHP, for some crazy reason, send all your request to a main controller and save the state using other method, for example, write a var into a file, then redirect and in the next redirections you'll know if the cookies are enabled without needed any other redirection. Example:
$file = 'cookie_fake_'.$userIP;
if( !isset($_COOKIE['COOK_CHK']) && !file_exists($file) ){
file_put_contents($file, 'dummy');
setcookie('COOK_CHK',uniqid(),time()+60*60*24);
header('Location:/');
exit;
}
if(!isset($_COOKIE['COOK_CHK'])){
setcookie('COOK_CHK',uniqid(),time()+60*60*24);
echo"Cookies are disabled!";
exit;
}
Then you should write something to clean old files every hour or so, of course you can use a cache layer or a database or anything like that instead of writing a file.
Edit: The previous code will be really f** up if the user enables cookies and refresh the page, now I've fixed so it works at the second time it refresh. Not perfect but... You really should do this using javascript.
Cheers.
I want to have a navigation bar that tells the user where they just came from.
Example: Homepage -> Post
But if they are in their posts manager and click on a post, I want it to say
Posts manager -> Post
I read that $_SERVER['HTTP_REFERER'] is not good enough to get the full url so that's not useful as I want the navigation bar all clickable
Any help is much appreciated!
I believe what you want is called breadcrumbs.
What to use for navigation chain storage is actually up to you. You might use even $_SERVER['HTTP_REFERER'] if you want, but that'd be unreliable as it's client-side. Usual way to store such chain is actual URI or session.
For example, you have such URI: http://www.example.com/post_manager/post
Then you can iterate through explode("/", $_SERVER["REQUEST_URI"]) to get each step.
That's basic explanation to guide you to a right direction. You can google alot of samples and snippets using keyword breadcrumbs.
On the topic of saving last visited location (the way to determine wether abonent came from manager or homepage): you can use session's variables to do that. Here's an example:
This way you can set a variable on your homepage:
<?php
session_start();
$_SESSION['previous_location'] = 'homepage';
?>
And then you just access it from another page:
<?php
$previous_location = $_SESSION['previous_location'];
?>
It's important to set session.save_path in your PHP configuration file or your sessions might get lost.
You could do it on the client side if you use the Javascript document.referrer property. However, a better solution may be to use the global session array.
if (!isset($_SESSION['referrer'])) {
$_SESSION['referrer'] = $current_uri;
} else {
$previous_uri = $_SESSION['referrer'];
$_SESSION['referrer'] = $current_uri;
}
The best solution IMO is to save the location into session, every time the user goes to a 'meaningful' page (that you want to be able to navigate back to via this feature), then simply use this array of, say, last 2 visited pages to pull up all the information. Simple and effective.
<?php
session_start();
$_SESSION['user_interactions'][] = $_SERVER['HTTP_REFERER'];
// get previous
$previous_page = end($_SESSION['user_interactions']);
// list all user interactions
foreach($_SESSION['user_interactions'] as $key => $value){
echo $value;
if(count($_SESSION['user_interactions'])-1 != $key) echo ">";
}
?>
Is there some sort of PHP code that allows me figure out which of the two pages was last visited.
Here is why i need it.
I have 3 pages called:
user-management.php, manage-membership.php and manage-user.php
There are two ways of getting to manage-user.php. One is to click on the name of the user in user-management.php and the other is to click on the membership account holder in membership-management. Both user-management and membership-management are completely different pages so please don't tell me to merge them to make it easier, because it won't get easier.
What i want to do is track where i'm coming from.
For example, if i'm going to manage-user.php from user-management.php, when all the editing is done, i want it to redirect back to user-management.php, and the same for membership-management.
How do i check to see which of the two pages I came from and redirect back to those pages accordingly?
Have each of your scripts record their name in the $_SESSION, so you're keeping track of where you came from:
user-management.php:
$_SESSION['came_from'] = 'user-management.php';
and then in your manage-user.php script:
Back
This is more reliable than using the HTTP referer, because not everyone sends refers, or sends the ACTUAL referer.
you could use $_SERVER['HTTP_REFERER'];
But this is not so safe, better store the page in a session and
check it then.
session_start();
...
$_SESSION['log'][] = $_SERVER['PHP_SELF'];
...
if ($_SESSION['log'][count($_SESSION['log'])-1] == "xxx") {
do code...
}
Tried this? -> $_SERVER["HTTP_REFERER"]
You can read more from this: http://www.electrictoolbox.com/php-http-referer-variable/
You could use $_SERVER['HTTP_REFERER']; but the user can also set their browser to not send the referer header. You could also do something like this:
At beginning of page:
session_start();
$lastVisited = $_SESSION['last_visited'];
At end:
$_SESSION['last_visited'] = $thisPagename;
I have index.php that include pages like
<?php
define('MyConst', TRUE);
include_once('template/header.php');
if (!empty($_GET['action'])) {
$action = $_GET['action'];
$action = basename($action);
include("template/$action.php");
} else {
include("template/main.php");
}
include_once('template/footer.php');
?>
With in a template directory I have main.php which has link to other pages like page1.php, page2.php.
Goto page 1
Goto page 2
How could I prevent users form accessing pages directly typing "http://mydomain.com/?action=page1" on the URL? And redirect them to main.php if they have done it?
You can not. What you want is simply not possible.
For the server side there is no way to know whether an URL is typed or clicked.
If I understand correctly, the thing you want is to prevent the user to access http://example.org/?action=page1 unless they came from http://example.org/?action=main. To do that, you must be able to detect whether they came from http://example.org/?action=main. The safest way to do that is to generate some random value that you associate to the users when they access http://example.org/?action=main and to check whether there is a correct value associated to the users when they want to access http://example.org/?action=page1. If not, they tried to access that page directly.
Check for HTTP_REFERER and if it is not pointing to right values (like your meny page) then redirect user.
Maybe you can try this, On your index.php :
session_start();
if(! isset($_GET['action']))
{
$_SESSION['pageAccess'] = true; # Set the key whatever you want
}
then under that script (we need that session_start() used twice) :
if(isset($_GET['action']))
{
if(! isset($_SESSION['pageAccess']) || ! $_SESSION['pageAccess'])
exit('There is no direct access allowed.');
}
Hope this help, have a nice day.
As per your Question:
There are two approaches that you can follow:
Use HTTP_REFFRER and check on desired page if User is coming from the page u wanted. IF he is accessing the direct URL then show him error page.
Use $_SESSION but this approach can be harmful as SESSION will always be there untill browser / instance closed.
So better to go for 1st approach.
And also as per Pehaa, you can not check id URL is typed
I need to hide or show a div that have a slideshow inside.
The idea is to give to the users a link for them to hide or show the div.
At the moment I call the slideshow on the body of the page with <?php include('slideshow.php'); ?>
After the user clicks on the link to hide/show the div I will like to call a second file (
<?php include('no-slideshow.php'); ?> ) which contain a diferent div.
As far as I had found there is no way to achieve this with sessions, or at least I did't find a solution to this problem.
My guess is that this need to be done with cookies, but I don't understend how.
If you don't want to use JavaScript only way to achieve that is to use link (requires page to be reloaded).
This is basic logic only, not a complete solution, but think you'll get the point.
Create a link on web page to the server-side script.
hide/show
Create script togle_visibility.php to process user's request.
<?php
$hidediv = isset($_COOKIE['hide_div']) && ($_COOKIE['hide_div'] == 'hide');
$cookie_value = !$hidediv ? 'hide' : 'show';
setcookie('hide_div', $cookie_value, time()+32000000); // cookie expires after year
header('location: http://www.mysite.com/index.php');
?>
All you need now (after return to original page) is to check value stored in cookie and decide do you want od not to show that div to do user.
<?php
... more code
$hidediv = isset($_COOKIE['hide_div']) && ($_COOKIE['hide_div'] == 'hide');
if ($hidediv) {
include('no-slideshow.php');
}
else {
include('slideshow.php');
}
... more code
?>
EDIT: $hidediv condition.
It works if user has JavaScript disabled but doesn't work if cookies has been disabled in browser settings.
I did not check this code, so same typos are possible.
I am not sure I understood. You want to hide div once user cliks on a link?
Why are you not doing this using javascript? (hide/show the divs?)
This command will set a cookie named include with value what to include.
setcookie('include', 'what to include', time()+86400);
You can check this cookie before include like this:
if (isset($_COOKIE['include'])) {
include($_COOKIE['include'] . '.php');
} else {
include('slideshow.php');
}
Note: because cookies can be easily faked you'll need to check twice what to include.