I have a page secured.php with an URL containing a GET-parameter that comes from index.php by using form method="post" where after processing the script an user-id will be stored in a SESSION as well be added as a GET-parameter u=12345 by a header-function that redirects to secured.php?u=12345.
By checking if isset($_GET['u']){ the GET-paramater u is available, everything is fine. I can validate it and so on...
The problem now is that when submitting a form even here by using form method="post" on secured.php?u=12345 the GET-parameter u will be used to header but when executing the header function the GET-parameter u for some reason won't be there anymore and if ( !isset($_GET['u']) ){will do some stuff that actually should not be done.
if ( !isset($_GET['u']) ){
some stuff
}
if (isset($_POST['something']) === true){
header("Location: secured.php?u=12345&b=example");
}
I really would appreciate if there is someone who could help me out. Thanks in advance.
Let check this:
1: index.php
<?php
session_start();
$_SESSION['U_ID'] = '12345';
?>
<html>
<body>
<form action="secured.php?u=<?php echo $_SESSION['U_ID']; ?>" method="post">
Name: <input type="text" name="name"><br>
<input type="submit">
</form>
</body>
</html>
2: secured.php
<?php
if ( !isset($_GET['u']) ){
//some stuff
} else {
if (isset($_POST["name"]) && $_POST["name"] != ''){
$re_url = 'secured.php?u='.$_GET['u'].'&b=example';
header('Location: '.$re_url);
}
}
?>
Just small answer
Related
i feel dumb (like always)
So i have website, and finally trying to move what i build on localhost to my website but the hell that's not working somehow. Finally after research what i get is my session is not working.
So i try make simple php session on my website and it's somehow the session variable not setting like i want.
This is the example i try :
http://dofaiyah.com/shop/login/ << access this, when clcik submit, i make $_SESSION["token"] = "green" and then redirect to index (http://dofaiyah.com/shop/index.php) and echo that session.
But that's not working.
My code is very simple
On Login
<?php
session_start();
if ( isset( $_POST['submit'] ) ) {
$_SESSION["token"] = "green";
header("Location: ../index.php");
//echo $_SESSION["token"];
}
?>
<html>
<body>
<form action="" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
On index
<?php
session_start();
if(!isset($_SESSION['token'])){
//header("Location: login");
}
else {
$_SESSION['views'] = 1;}
echo "views = ". $_SESSION['token'];
?>
Like what i'm missing? i really don't know.
//////
Edit : yes i'm already try to excecute it at my localhost and it's working perfectly.
On Login You are redirecting before to show the session value .
I have implemented the Post/Redirect/Get Pattern to avoid http post requests to be sent to the server each time the web page is reloaded, but i get a problem.
The Welcome message should only be displayed once when the password is set to test. In my case, it is never displayed, unless you comment out the 4th line.
If you remove that line, PRG pattern is not applied, hence form gets resubmitted on each page reload
The code below is a full working code, paste that directly in your code for testing. or here
<?php
$self = htmlspecialchars($_SERVER["PHP_SELF"]);
if(isset($_POST['Code2']) && ( $_POST['Code2'] == "test")) {
header('Location: '.$self, true, 303);exit; //redirection on the same page
?> <span id="welcome-msg"></span> <!-- Display welcome Message -->
<?php } ?>
<form method="post">
Code:<br>
<input type="text" name="Code2"> <input type="submit">
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script>
$("#welcome-msg").html("Welcome").fadeOut(5500);
</script>
Here is a simple PoC that uses PHP sessions instead of cookies. A client session is identified by a cookie but the client has no control over the data the session stores. You could, in theory, put more sensitive data into the "welcome" message this way, although the login method is still very basic and should at least be done over HTTPS.
<?php
// Start PHP session management
session_start();
$self = htmlspecialchars($_SERVER["PHP_SELF"]);
if (isset($_POST['Code2']) && $_POST['Code2'] === "test") {
// Code is correct, flash the welcome message after redirect
$_SESSION["flash_welcome"] = true;
header('Location: '.$self, true, 303);
exit;
} else if (isset($_POST['Code2']) && $_POST['Code2'] !== "test") {
// Code was sent but is incorrect, flash the incorrect message after redirect
$_SESSION["flash_incorrect"] = true;
header('Location: '.$self, true, 303);
exit;
}
if ($_SESSION["flash_welcome"]) {
// Display welcome message
?><span id="welcome-msg">Welcome</span><?php
}
if ($_SESSION["flash_incorrect"]) {
// Display incorrect message
?><span id="incorrect-msg">Incorrect code</span><?php
}
// Clear flash messages
$_SESSION["flash_welcome"] = false;
$_SESSION["flash_incorrect"] = false;
?>
<form method="post">
Code:<br><input type="text" name="Code2">
<input type="submit">
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script>$("#welcome-msg,#incorrect-msg").fadeOut(5500);</script>
Your <span id="welcome-msg"></span> is located after a redirection and after an exit() inside an if statement
If the condition exists or not, your span will never be displayed.
You need to move it out of the "if", or add it before the redirection and "exit()"
<?php
$self = htmlspecialchars($_SERVER["PHP_SELF"]);
if(isset($_POST['Code2']) && ( $_POST['Code2']== "test")) {
header('Location: '.$self, true, 303);
exit;
} ?>
<span id="welcome-msg"></span>
<form method="post">
Code:<br>
<input type="text" name="Code2"> <input onclick="event.preventDefault()" type="submit">
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script>
$("#welcome-msg").html("Welcome").fadeOut(5500);
</script>
https://www.tehplayground.com/Hf25u68JYljxkjQu
I am looking to develop a website containing stages. I want for example to pass by the stage 2 only when i click on the finish button in the page of stage 1 so the stage 2 page can't be accessible by its url or whatever only if the user pass by another page.
Is there a method to do this ??? i am a beginner in security so please try to help me, thanks in advance coders
Make use of sessions to develop this model.
index.php
<?php
#extract($_POST);
if(isset($sub))
{
session_start();
$_SESSION['authenticate']=true;
header("location:test1.php");
exit;
}
?>
<form action='' method="post">
<input type="SUBMIT" name="sub" value="Finish" />
</form>
open.php
<?php
session_start();
if(!isset($_SESSION['authenticate']))
{
echo "You are not allowed to access";
}
else { echo "You came from index.php ! so you are a valid user"; }
session_destroy(); //<-- I added this so you can test your example multiple times.
I think, this show work :)
Use can either redirect your user directly from index.php to open.php
header('Location : open.php');
Or,
in open.php, put this
if($_SERVER['HTTP_REFERER'] == 'index.php page's full link') {
//Do or Show whatever you want to show here
} else {
// Tell the user that you are not authorized
}
If that doesn't work, echo $_SERVER['HTTP_REFERER'] and see what link it gives you. And put that link where specified above.
Cool? :)
Edit (As per the comments) --
Lets say you have a form in your form in stage1.php
<form method="post" action="">
<span class="error"><?php echo $error; ?></span>
Name: <input type="text" name="name"><br/>
Email: <input type="text" name="email"><br/>
<input type="submit" name="submit" value="Submit">
</form>
use this php in stage1.php
if (isset($_POST['name'])||isset($_POST['email'])) {
if (!empty($_POST["name"])||!empty($_POST["email"])) {
$error = "Please fill in all the fields correctly";
}
else {
$name = $_POST['name'];
$email = $_POST['email'];
//You can also save the above Variables Globally by $GLOBALS['name'] = $_POST['name'];
//So that you can use the details when you reach the final stage
header('Location : stage2 page's link');
}
}
?>
and in Page 2 lets say you have another form, then there also check
<?php
if(!empty($name)||!empty($email)) {
//the above is check for global variables email and name are not empty - means stage 2 was filled properly
//Do things for the second page's form like you did for stage 1
} else {
header('Location : stage1 page's link');
//redirect back to stage 1.
}
?>
Username and password not appear on Page 2.PHP although I post it to Page2.PHP
Page1.PHP
<form name="form1" method="post" action="Page2.php">
<input type="text" name="txtLogin">
<input type="password" name="txtPWD">
<input type="submit" name="btnSub" value="go">
</form>
Page2.PHP
<?php
if(isset($_REQUEST['txtLogin']))
{
session_start();
$_SESSION['login']=$login;
}
if(isset($_SESSION['login']))
header('Location: detail.php');
else
header('Location: index.html');
?>
put this on page2.php
if(isset($_POST['txtLogin']) && isset($_POST['txtPWD']))
{
//get values & do other scripts like saving values on sessions
$user = $_POST['txtLogin'];
$pass = $_POST['txtPWD'];
echo $user.'<br>'.$pass;
}
else
{
//event here
}
The problem is here:
$_SESSION['login']=$login;
You are using the $login variable, but it isn't actually being set anywhere.
A few lines further up, we see that the login name is actually in $_REQUEST['txtLogin'], not $login. So you should be using that.
$_SESSION['login']=$_REQUEST['txtLogin'];
Hope that helps.
Check settings: enable_post_data_reading, request_order, variables_order, gpc_order on http://www.php.net/manual/en/ini.core.php
My code has two forms that create a text field for both username and password. The php script takes the form information and sends it to the server for it to decide if the strings from the form data correspond with the username and password I want. I also have a logout button form that goes to a logout.php script which logs the user out. If I click the logout button it sends the user to my login.php script and ends the session. I can't get users to login to the website and I cant get users to go to the login.php page if I go to the site that has the logout.php. Here is my code:
Login php Code:
<?php
session_start();
if($_SESSION['login'] == true)
{
header("Location:index.php");
}
else
{
if($_POST['username'] == 'username')
{
if($_POST['pass'] == 'password')
{
$_SESSION['login'] = true;
header('Location:index.php');
}
}
}
?>
Login Form:
<form action="login.php" method="post">
Username: <input type="text" name="username" /> </br>
Password: <input type="password" name="pass" />
<input type="submit" value="submit"/>
</form>
Logout PHP code:
<?php
session_start();
session_destroy();
header('Location:index.php');
?>
index php code:
<?php
session_start();
if($_SESSION['login'] =! true || $_SESSION['login'] == "")
{
header('Location:login.php');
}
?>
index form code:
<form action="logout.php" method="post">
<input type="submit" name="logout" value="logout" />
</form>
The PHP code is listed above the html code before anything is displayed thus why some form actions call back the page again. Thank you
Your main problem is the incorrect operator =! in index.php -- the correct use is != for "does not equal". See more: http://php.net/manual/en/language.operators.comparison.php
You can clean up your login.php file a bit:
login.php
session_start();
$redirect = false;
if($_SESSION['login'] == true) {
$redirect = true;
} elseif (
isset($_POST['username']) &&
$_POST['username'] == 'username' &&
$_POST['pass'] == 'password'
){
$_SESSION['login'] = true;
$redirect = true;
}
if ($redirect) {
header("location:http://www.mydomain.com/index.php");
die();
}
Your login form is fine, except where you use : for properties. All HTML element properties are name="value" -- note the equal sign. So your form:
<form action="login.php" method="post">
You have it correct in your logout form.
One of your goals is to reduce the amount of code you use. So if you're going to do the same thing many times, you should try to isolate that piece of code as a class, a function, or simply in another file that you include. To that end, you could put your check for login in a separate file:
security.php
session_start();
if(!isset($_SESSION['login']) || $_SESSION['login'] !== true) {
header('location:http://www.mydomain.com/login.php');
die();
}
... then use require_once to pull that in on any page where you require the user to be logged in:
index.php
require_once('security.php');
// the rest of your index.php code here
Documentation
PHP comparison operators: http://php.net/manual/en/language.operators.comparison.php
require_once - http://php.net/manual/en/function.require-once.php
Some basic tips for code reuse - http://www.techrepublic.com/article/10-tips-for-php-scripts-reuse-code-with-the-include-and-require-functions/5077715
Your Form fields for the login form are bad.
it should read:
<form action="login.php" method="post">
Username: <input type="text" name="username" /> </br>
Password: <input type="password" name="pass" />
<input type="submit" value="submit"/>
</form>
also i think your boolean condition
if($_SESSION['login'] =! true || $_SESSION['login'] == "")
should be
if($_SESSION['login'] != true || $_SESSION['login'] == "")
Try that, if it doesn't work we'll have another look.
Let's try this again :)
Edit: The die() (or exit()) are needed, otherwise PHP keeps processing.
login.php
if (empty($_SESSION['login']))
{
// checking if username is transmitted and matching (same for password)
if ( ( !empty($_POST['username']) && $_POST['username'] === 'username')
&& ( !empty($_POST['password']) && $_POST['password'] === 'password')
)
{
$_SESSION['login'] = TRUE;
header('Location:index.php');
die();
}
}
else
{
// if this matches, we are already loggged in.
header('Location:index.php');
die();
}
header('Location:login.php');
die();
logout.php
// check if Session exists, otherwise there is nothing to destroy
if (!empty($_SESSION))
{
unset($_SESSION);
}
header('Location:login.php');
die();
index.php
session_start();
// if session doesn't exist we redirect to login
if(empty($_SESSION['login']))
{
header('Location:login.php');
}
As far as I can see, your "Login Form" is incorrect, you need to use '=' instead of ':'.
(Edit: What's with minus rating?)
Also, AFAIR Location must be like Location: http://www.example.com/index.php