We Keep Coding

5 characters added in the middle of my URL

I realise that this might be a VERY obscure question but it's driving me mad, I have 5 extra characters being inserted into the URL while navigating between the pages on my site. (eg. http://track.chhs.nsw.edu.au/UXTWP/userAccount.php?) The UXTWP is being added and I'm not sure where from but it is breaking the navigation randomly.
The site is hosted on goDaddy.
It contains HTML CSS PHP JavaScript and mySQL.
Everything was working well until I added a "fix" in PHP to stop a potential 'hack' that would use an id being passed in the URL to switch the viewed content.
I'm not sure this was the problem but that was the most recent change before the errors started occurring.
this is the site I also looked to place the code up on phpfiddle but I'm not sure what to add?
if(isset($_GET['a'])){
if(strpos($userRow['sID'], $_GET['a']) !== false) {
$_SESSION['student']=$_GET['a'];
$tempArray = db_select("SELECT * FROM student WHERE sID ='".$_SESSION['student']."'");
$studentRow = array_shift($tempArray);
$_SESSION['impactTool'] =$studentRow['impactAssToolID'];
$SName = $studentRow['sName'];
$SDOB = $studentRow['dob'];
$SFormDate = $studentRow['formDate'];
$prevInf = $studentRow['prevInfo'];
$famInf = $studentRow['famInfo'];
$contInf = $studentRow['contextInfo'];
$impactIDMsg = "?z=".$_SESSION['impactTool'];
$btnFlag = true;
}else{
header("Location:logout.php");
}
The intention is to dump the user back to the login screen via logout if they attempt to access a student's detail that doesn't belong to them.
Thanks in advance for any help provided.

Ok this time I think it is fixed!! Thank you so much #Progrock for your persistent testing and ideas.
The fix:
I have included a blank .htaccess file into the root of the site.
Now I can navigate through the different pages using the onsite navigation and the browser navigation and I can't create the error anymore.
I'm hoping that this is a permanent fix and my best guess is that it was the browser/server looking for the .htaccess file on particular triggers when not finding it looking to the server generic .htaccess file.
Hope this post helps someone in the future experiencing a similar problem.

Not an answer, but an observation:
I finally experienced the bug when using curl to view headers:
curl -I http://track.chhs.nsw.edu.au
Output:
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /TSXbZ/
Then shortly after, the same curl call resulted in the desired page without the redirect. So the bug is inconsistent, as you have said.
If I do a header location redirect in Php code. Or I use a .htaccess rule to do something similar: A return header reads something like this:
Server: Apache/2.2.22 (Foo)
The absence of an apache server header (for some of your responses) makes me suspicious that a proxy or caching layer may sit in front of your webserver and Php code.
Reading your code, I can't see any obvious reasons for the character insertions.
Notice subsequent differences with the following responses (return headers):
3:21% curl -I http://track.chhs.nsw.edu.au
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /XRjRZ/
3:23% curl -I http://track.chhs.nsw.edu.au
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /
3:24% curl -I http://track.chhs.nsw.edu.au
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /
3:24% curl -I http://track.chhs.nsw.edu.au/index.php
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /index.php
3:24% curl -I http://track.chhs.nsw.edu.au/index.php
HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 15:24:56 GMT
Server: Apache/2.4.23
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=60d307bdc288bf1371dc5e0c8c397cdf; path=/
Vary: User-Agent
Content-Type: text/html
Have you got an esoteric .htaccess, or server config?

varnish not work only for one web site

I have a server with more site , after install varnish I tested if cache works, but for one web site not work varnish (have response of max-age=0). If I try to insert a simple php page (not correlated to main website) in same folder of this website, the response works.
This is a header when try :
HTTP/1.1 200 OK
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=ragejao4sm1kckjn1trvap3ft0; path=/
Vary: User-Agent,Accept-Encoding
Content-Encoding: gzip
Content-Type: text/html
Cache-Control: max_age=8600
magicmarker: 1
Content-Length: 11863
Accept-Ranges: bytes
Date: Fri, 12 Jun 2015 12:28:15 GMT
X-Varnish: 1250916100
Age: 0
Via: 1.1 varnish
Connection: keep-alive

Varnish by default doesn't cache responses where cookies are set.
If you want to change this behaviour you need to consider how the cookie is being used (it looks like a session cookie) and either use the session id as part of the cache hash (ie so other users don't get a cached response from someone else's session) or use something like ESI to allow the "common" parts of the page to be cached while the session specific parts are fetched independently.
http://www.varnish-cache.org/trac/wiki/VCLExampleCacheCookies
https://www.varnish-cache.org/trac/wiki/ESIfeatures

PHP HTTPS to HTTP

I am having difficulty with the header function in PHP.
The call to the function is initiated on a secure HTTPS page. Every time I call the header function with http://, something somewhere is changing the protocol to HTTPS.
In my program, this example:
header("Location: http://www.google.com");
takes me to https://www.google.com instead.
My environment is IIS 7.5 Windows 2008 64-Bit
PHP 5.5.12 with Fast CGI
Is there something that I have accidentally enabled either in IIS or php.ini that would automatically force http to https?
This does not happen when launching the code from an http page, http to http works, http to https works and https to https work. However, https to http is failing.
I've been searching and most results keep reversing my question by showing me ways to force http to https. I need the opposite.
Thanks in advance for any assistance!
EDIT: Google was an example URL. Sorry.
header("Location: http://www.systronicsinc.com/");
is my actual URL that is failing. This keeps redirecting to https://www.systronicsinc.com/.
This is a raw header from Fiddler.
HTTP/1.1 303 See Other
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://www.systronicsinc.com/
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.5.12
Set-Cookie: PHPSESSID=va1hh3ff8h0buus689kf86eoc1; path=/
Date: Fri, 24 Oct 2014 17:39:34 GMT
Content-Length: 156
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found here</body>
I find it interesting that the link in the body retained the original http protocol as initially set, but the Location field in the header is modifying it to https. I've been hunting through IIS and my php.ini file. I cannot see anything that would dictate this behavior. Maybe this additional information will spark a thought with someone. Thanks!

Google uses SSL, so https://, for it's websites.
See: https://support.google.com/websearch/answer/173733?hl=en
and: https://www.seroundtable.com/google-ssl-drops-query-data-14188.html

No, Google redirects you to a secure page.
They probably use a function that does something like my https function. Feel free to use.
function https(){
$sv = $_SERVER;
if(!isset($sv['HTTPS'])){
header("LOCATION:https://{$sv['SERVER_NAME']}{$sv['PHP_SELF']}"); die;
}
}
function http(){
$sv = $_SERVER;
if(isset($sv['HTTPS'])){
unset($_SERVER['HTTPS']);
header("LOCATION:http://{$sv['SERVER_NAME']}{$sv['PHP_SELF']}"); die;
}
}

PHP cURL: HTTP headers show 302 and cookies set, cookies are saved and sent, same headers appear?

This is kind of a carry on from a question asked yesterday: Can't seem to get a web page's contents via cURL - user agent and HTTP headers both set?
I'm attempting to access a url's contents, the problem is the way this url handles request.
The url: http://www.deindeal.ch/deals/atlas-grand-hotel-2-naechte-30-2/
First request (without cookies):
After "learning" to use curl in the command line (props to #d3v3us), a simple request curl -i http://www.deindeal.ch/deals/atlas-grand-hotel-2-naechte-30-2/ shows the following:
curl -i http://www.deindeal.ch/deals/atlas-grand-hote
l-2-naechte-30-2/
HTTP/1.1 302 FOUND
Date: Fri, 30 Dec 2011 13:15:00 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Language,Cookie,Accept-Encoding
Content-Language: de
Set-Cookie: csrftoken=edc8c77fc74f5e788c53488afba4e50a; Domain=www.deindeal.ch;
Max-Age=31449600; Path=/
Set-Cookie: generic_cookie=1; Path=/
Set-Cookie: sessionid=740a8a2cb9fb51166dcf865e35b91888; expires=Fri, 27-Jan-2012
13:15:00 GMT; Max-Age=2419200; Path=/
Location: http://www.deindeal.ch/welcome/?deal_slug=atlas-grand-hotel-2-naechte-
30-2
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Second request (with cookies):
So, I save the cookie using -c, check that it saves as cookie.txt, and run the request again with the addition of -b cookie.txt, getting this:
curl -i -b cookie.txt http://www.deindeal.ch/deals/atlas-grand-hotel-2-naechte-3
0-2/
HTTP/1.1 302 FOUND
Date: Fri, 30 Dec 2011 13:38:17 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Language,Cookie,Accept-Encoding
Content-Language: de
Set-Cookie: csrftoken=49f5c804d399f8581253630631692f5f; Domain=www.deindeal.ch; Max-Age=31449600; P
ath=/
Location: http://www.deindeal.ch/welcome/?deal_slug=atlas-grand-hotel-2-naechte-30-2
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
To me this looks like exactly the same contents, minus one or two parameters in the cookie, but maybe I'm overlooking something?
I'm attempting to get the curl request to function and return the same contents as when requesting that url via a browser, but I'm not sure what I should do next.
Note: I've tagged this PHP, as I am using PHP to make the requests, I've simply using command line to easily show the returned headers - so if there's any other PHP libraries or methods that would work (better, or in a place that cURL wouldn't), please feel free to suggest any.
Any help would be greatly appreciated ;).

You need this,
curl -iL -c cookie.txt -b cookie.txt http://www.deindeal.ch/deals/atlas-grand-hotel-2-naechte-3
-b flag is used to read cookie from . For a file to be used to save cookie after the http transaction use -c flag. Its called cookie jar.
Using WebGet (Sorry, Its written by me) pulling the contents is quite simple.
require "WebGet.php";
$w = new WebGet();
$w->cookieFile = 'cookie.txt'; // must be writable
$w->requestContent("https://github.com/shiplu/dxtool");
print_r($w->responseHeaders) // prints response headers
print_r($w->cachedContent) // prints url content

I may be misunderstanding your question, but a 302 response means content found, and you just need to follow the "Location" right? cUrl will only perform one request, unlike your browser which will see that 302 (set the cookies, just like you're doing) then follow that location header. It looks like your location has a "?" in it that isn't in the original. Run cUrl, with that same cookie jar, on the Location url.
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#3xx_Redirection

How to find out where data is buffered with HTTP protocol?

I'm trying to use early flush with php5/apache2 to execute some code, render some json and after that executing another part of the code that take several second but doesn't produce any response.
The basic code so far is:
#apache_setenv('no-gzip', 1);
#ini_set('zlib.output_compression', 0);
echo 'Page loading'; // code to render;
ob_flush();
flush();
sleep(29); // LONG time code to execute
The previous example does not work. I mean it will echo 'Page loading' after 29seconds.
If I looked at the http response I have:
(Status-Line) HTTP/1.1 200 OK
Date Mon, 04 Jul 2011 19:49:19 GMT
Server Apache/2.2.11 (Win32) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.3.0
X-Powered-By PHP/5.3.0
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma no-cache
Keep-Alive timeout=5, max=100
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type text/html
My problem is not really why it doesnt work? but How can I checked where my string get buffered?
I know that there is different buffer:
- php output_buffer, php zlib.buffer
- apache mode_deflate / gzip
- browser buffering
All php output buffering are off, apache mode_deflate is activated but as you can see the transfer-encoding is "chunked".
I have no idea how to find out where is my problem, I'm using HttpFox to see the header and I try to get the content of the HTTP request, HttpFox say that the content is not ready until the 29seconds are done.
Any advice?

Hmm have you tried ob_get_level() ?

Marc B was right...
I had to make a loop of a 1000, with output_buffering activated
$var = 1000;
while(--$var)
echo 'Page loading'; // code to render;
To be able to see result before the sleep.
I have to to a loop of 100, with output_buffering = off to get the same result.