I have redirect page called get.php which contain the following code:
header('Location: '.urldecode($_GET['url']));
$url = (isset($_GET[url]) && !empty($_GET[url])) ? $_GET[url] : NULL;
if(empty($url)){
header('Location: http://www.example.com/404');
}
This link used for ref tracking. When I check logs, I found someone abused it with pointing to non-malware website ie.
http://www.example.com/get.php?s&url=http://i-am-malware.yes
How to prevent this abused and only accept within local domain.
try this one
$url = "";
if(isset($_GET['url']))
{
$url = urldecode($_GET['url']);
}
if($url=="")
{
header('Location: http://www.example.com/404');
exit;
}
else
{
$arr = parse_url($url);
if($arr['host']==$_SERVER['SERVER_NAME'])
{
header("Location:".$url);
}
else
{
header('Location: http://www.example.com/404');
}
exit;
}
Related
I'm developing a user site in php. What I want to do, is allow people to use a ?return_to url variable to get back to the page they were on before they were asked to log in (for example, if they were on /me.php, then they will be redirected to login, and the url will be login.php?return_to=me.php.. I want to redirect to me.php after login.).
Currently, the way my system checks for login submission on the homepage is with the following:
if(isset($_POST['submitted']))
{
if($advena->Login())
{
$advena->RedirectToURL("/");
}
}
When I try to use
if (strpos($_SERVER['REQUEST_URI'], "?return_to") !== false){
$location .= "?return_to=" . urlencode($_GET["return_to"]);
if(isset($_POST['submitted']))
{
if($fgmembersite->Login())
{
$fgmembersite->RedirectToURL($location);
}
}
} else {
if(isset($_POST['submitted']))
{
if($fgmembersite->Login())
{
$fgmembersite->RedirectToURL("/");
}
}
}
It always redirects to "/" regardless of the presence of ?return_to. Here is the redirect php:
function RedirectToURL($url)
{
header("Location: $url");
exit;
}
Thank you in advance for any help anyone can provide :)
members.php - sample page
<?php
// set the return url value
$_SESSION['return_url'] = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
// redirect if not logged in
if (!not_logged_in()) {
header('Location: /login.php?return_to=' . rawurlencode($_SESSION['return_url']));
exit;
}
// checks if the user is logged in
function not_logged_in() {
return !isset($_SESSION['logged_in']);
}
?>
login.php - login page
<?php
if (isset($_POST['username'], $_POST['password'])) {
// do more...
// redirect
if (success()) {
// set a session for logged in user
$_SESSION['logged_in'] = sha1(time() . rand(0, 99999));
if (isset($_GET['return_to'], $_SESSION['return_url'])) {
$fgmembersite->RedirectToURL('/process.php?ret=' . urldecode($_GET['return_to']));
exit;
}
else {
$fgmembersite->RedirectToURL('/process.php');
exit;
}
}
}
?>
process.php - login processor
<?php
if (isset($_GET['return_to'], $_SESSION['return_url'])) {
# set: return url
$continue_url = rawurldecode($_GET['return_to']);
# do: redirect to the specified page
header("Location: {$continue_url}");
unset($_SESSION['return_url']);
# do: redirect with message
exit('Redirecting...');
}
else {
header('Location: /members.php');
}
?>
I am using MaxMind's GeoIp2 PHP to redirect website visitors based on their country.
I have managed to get the redirect working so that:
US visitors go to http://www.example.com/us
Malaysian visitors go to http://www.example.com/my
All other visitors go to http://www.example.com
The problem is that I only want to redirect visitors once.
After they are on the website, if they navigate to http://www.example.com
they should be able to do so without getting redirected, regardless of their country.
This is so that both humans and spiders can still have the freedom to visit pages that are not targeted at their country.
I have tried using the suggestion to a similar problem as answered here
but the question there is regarding different domains for different countries instead of different paths so the solution doesn't work for me.
The code:
<?php
require_once '../vendor/autoload.php';
use GeoIp2\Database\Reader;
$reader = new Reader('/usr/local/share/GeoIP/GeoLite2-Country.mmdb');
$record = $reader->country( $_SERVER['REMOTE_ADDR'] );
try {
$country = $record->country->isoCode;
switch((string)$country) {
case 'US':
$url = "http://www.example.com/us";
break;
case 'MY':
$url = "http://www.example.com/my";
break;
default:
$url = "http://www.example.com";
}
if (strpos("http://$_SERVER[HTTP_HOST]", $url) === false)
{
header("Location: ".$url);
}
} catch (Exception $e) {
// Handle exception
}
?>
Any help is greatly appreciated.
You could use a cookie to keep track of:
if the visitor has been redirected before
the country that the visitor has been redirected to before
If the spiders are clever, they will make use of the cookies too (Ref: Can Bots/Spiders utilize Cookies?).
So you could write your logic like so:
<?php
require_once '../vendor/autoload.php';
use GeoIp2\Database\Reader;
$cookie_name = "country_code";
session_start();
if (isset($_GET['check']) && $_GET['check'] == true) {
if (isset($_COOKIE['test_cookie']) && $_COOKIE['test_cookie'] == 'test') {
if(!isset($_COOKIE[$cookie_name])) {
$reader = new Reader('/usr/local/share/GeoIP/GeoLite2-Country.mmdb');
$record = $reader->country( $_SERVER['REMOTE_ADDR'] );
try {
$country = $record->country->isoCode;
switch((string)$country) {
case 'US':
$url = "http://www.example.com/us";
break;
case 'MY':
$url = "http://www.example.com/my";
break;
default:
$url = "http://www.example.com";
}
$cookie_value = "" . (string)$country;
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
if(!isset($_GET['cookies'])){
header('Location:/info.php?cookies=true');
}
if (strpos("http://$_SERVER[HTTP_HOST]", $url) === false)
{
header("Location: ".$url);
}
} catch (Exception $e) {
// Handle exception
}
} else { //cookie is set no redirect
}
} else { //no cookie support, no redirect
}
} else {
setcookie('test_cookie', 'test', time() + 3600);
header("location: {$_SERVER['PHP_SELF']}?check=true");
}
?>
hye ,
My current Directory structure is like
Admin (index.php, country.php)
Classes(connection.php,login.php,country.php)
header.php
footer.php
index.php
includes(header.php,footer.php)
my problem is that on webserver when i am in /admin/country.php and add a country using form post method and action set to /classes/country.php my header statement "Header("Location: ../Admin/country.php")" is working ok but when i am on my index page in root directory and try to login with form action "classes/login.php" and on successful login i use header("Location: ../Admin/index.php") it never redirects but everything works fine my local server, i don't know whats the problem over here, Any help would be really appreciated,
I have searched this forum and others and tried to use the techniques they have told but nothing is working
my index page index.php
my Admin Section Admin/Country.php
my login.php script is below
<?php
ob_start();
include_once("classes/connection.php");
?>
<?php
class login
{
public static function validateLogin($userName,$password)
{
if(isset($userName) && isset($password))
{
$connection = dbconnection::getConnection();
$query = "Select * from tbllogin Where loginID ='" . $userName .
"' and password = '" . $password . "'";
$result = mysql_query($query);
$rowsAffected = mysql_affected_rows();
if($rowsAffected==0)
{
//header("Location: ../index.php/");
//exit();
return false;
}
else
{
while($row = mysql_fetch_array($result))
{
//working
$role = $row["role"];
if($role == "Admin")
{
//header('Location: ../Admin/index.php');
//exit();
return true;
}
else
{
//echo "hello";
//header("Location: ../index.php/");
//exit();
return false;
}
//return $result;
//header("Location: ../index.php");
}
}
}
else
{
//header("Location: ../index.php/");
return false;
}
}
}
?>
<?php
if(isset($_POST["btnSumbit"]))
{
$isValid = login::validateLogin($_POST["userID"],$_POST["password"]);
if(isset($isValid))
{
if($isValid ==true)
{
$host = $_SERVER['HTTP_HOST'];
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra = 'Admin/index.php';
header("Location: http://$host$uri/$extra");
exit();
}
}
}
ob_end_flush();
?>
Don't use header redirects with relative paths. You should redirect to the front end URL path or absolute paths.
It's possible that your "classes/login.php" is an included file into "index.php" -- so you're actually trying to step out of the web server directory - which is why it works locally but not on the server.
i am using this script to redirect users according to their IP.
But the problem is it redirects to homepage or only to URL i specify in the script. how can i just change the domain keeping the URL same? for example site.com/whateverpage redirected to site.au/whateverpage.
<?php
// Next two lines are for Beyond Hosting
// Don't forget to change your-domain
require_once '/home/your-domain/php/Net/GeoIP.php';
$geoip = Net_GeoIP::getInstance('/home/your-domain/php/Net/GeoIP.dat');
// Next two lines are for HostGator
require_once 'Net/GeoIP.php';
$geoip = Net_GeoIP::getInstance('GeoIP.dat');
try {
$country = $geoip->lookupCountryCode($_SERVER['REMOTE_ADDR']);
switch((string)$country) {
case 'AU':
$url = "http://www.site.au";
break;
case 'CA':
$url = "http://www.site.ca";
break;
default:
$url = "http://site.com";
}
if (strpos("http://$_SERVER[HTTP_HOST]", $url) === false)
{
header('Location: '.$url);
}
} catch (Exception $e) {
// Handle exception
}
?>
Add $_SERVER['REQUEST_URI'] to your redirection.
header("Location: $url/$_SERVER[REQUEST_URI]");
I'm trying to redirect users within my network to a specific landing page on our website based on their IP and a blank referrer. This code works, but it ends up in a redirect loop. How do I break out of the redirect loop to correctly redirect a user? Thanks!
$visitor = $_SERVER['HTTP_REFERER'];
$clientip = $_SERVER['REMOTE_ADDR'];
$ip = a regex list of IPs;
if (empty($visitor))
{
if (preg_match($ip, $clientip)) {
header('Location: http://example.com');
die();
}
}
Add a session to that user that you know that they were redirected already:
session_start();
$visitor = $_SERVER['HTTP_REFERER'];
$clientip = $_SERVER['REMOTE_ADDR'];
$ip = a regex list of IPs;
if (empty($visitor))
{
//add on if they did not redirect yet.
if (preg_match($ip, $clientip) &&
(!isset($_SESSION['redirect']) || !$_SESSION['redirect'])) {
$_SESSION['redirect'] = true;
header('Location: http://example.com');
die();
}
}