What I am try to do is use $_SESSION['user_id'] to check if 'user_id' is = to "number", say 56 for example, if so load page, if not redirect user to "billing/".$_SESSION['user_id'].".php";
So far I have this
<?php
if ($_SESSION['user_id']) === 56) {
//do nothing
} else {
header("Location: billing/".$_SESSION['user_id'].".php");
exit();
}
?>
I know this code is wrong but hopefully it conveys what I am trying to accomplish.
Thanks in advance for your help and code snippets.
do not edit the code in your question based on the answers. You are making it impossible to understand what are you talking about.
If you want to add something - ADD it below the original text.
Ask clear, certain question. Describe the problem you face and what kind of solution you need.
Separate matters. As a matter of fact, sessions has nothing to do with redirects. If you want to know how to use sessions - ask how to use sessions. If you already have valid and verified session variable but have no idea of redirects - ask about redirects. If you don't know how to compare values - ask it. If you know everything but not certain about some bells and whistles of the code styling - ask this particular question.
Now, what is your question?
You're pretty close, but you could use the php function http_redirect instead for the redirect, to be more concise (requires the PECL library):
<?php
if ($_SESSION['user_id'] == 56) {
//do nothing
} else {
http_redirect("billing/".$_SESSION['user_id'].".php", array(), true, HTTP_REDIRECT_PERM);
}
?>
The PHP Doc for header() gives a lot of info about how to use the header function. The most important is:
Make sure no html or text has been echoed or sent to the browser before you call header().
You need an exit(); after header() since you're done rendering the page and some browsers prefer it.
HTTP/1.1 requires an absolute URI as argument to ยป Location: including the scheme, hostname and absolute path so you'll want to put the full URL after 'Location:'. See php doc for example.
Why not check the opposite? And for readability it is wise to use {} not "." (as long as your editor highlights this)
<?php
if($_SESSION["user_id"] != 56) {
header("location: billing/{$_SESSION['user_id']}.php");
die();
}
?>
Related
I'm writing a code to redirect to home-page after logging out. I used to use
header("Location: index.php");
but I found in some tutorial that I can use
echo "<script>location.href = 'index.php'</script>";
Now I want to know the difference between both scripts and which is better?
The first one uses PHP, and the second uses Javascript (you'd need to make sure it was echo'ed inside <script></script> tags).
The Javascript solution requires Javascript to be enables and makes the browser do a little more work than the PHP header method. I think the PHP method, header("Location: index.php"); is safer. You would just need to make sure to use die(); after the header command or else risk loading the rest of the page before the redirect can be processed.
Another consideration is that the pure php solution won't work if you've already echo'ed anything (including whitespace). So in some situations, echo "<script>location.href = 'index.php'</script>"; could be a better choice.
Like Stevish mentioned, the second one is Javascript and could be deactivated by the user, if he deactivates Javascript. With PHP the Server will do the redirect.
I want to handle when user input "examp" it will redirect to "examp.php".
I think it's pretty simple but I haven't been able to get it right, please help. Thanks very much <3
$search = $_GET['search'];
if ($search == 'examp') {
header("location: examp.php");
exit();
}
You should check out the php documentation about header redirection.
php header
Also if you redirect to another page, your exit(); won't work because you're not on that page anymore.. I think you're missing the protocol start http/https://
edit:
It's just a guess, but aren't you looking for an include or require function? That incorporates your php file into the existing one and exits after exit() function. If yes check out:
Include
require
I need to redirect visiters from:
/plug/survey/survey.php?22
to
/publications.php?1.articles.view.547
I have a limited understanding of .htaccess and php and wonder if anyone has any tips/ideas for me?
Any help would be very much appreciated!
Thank you
Add to the top of survey.php:
<?php
if ($_SERVER['QUERY_STRING'] == "22") {
header("Location: http://example.com/publications.php?1.articles.view.547");
exit;
}
You can write this code in htaccess file
RewriteEngine on
Redirect /plug/survey/survey.php?22 /publications.php?1.articles.view.547
Also read this
http://corz.org/serv/tricks/htaccess2.php
if it is just the one file, you can use header('Location: '.$url); at the top of the php - see http://php.net/manual/en/function.header.php
Your question really lacks vital information:
Where does that "1.articles" come from - is it a fixed string ?
where dies that "547" come from, I guess it is from a database lookup somehow ?
If so, there is no easy way to do that using plain rewrite rules.
Most likely the best solution is to write a small php script you redirect to. Inside that script you evaluate the request parameters (php variables $_SERVER and so on), make you database lookup and use the information gathered to send a redirect header to the browser (using phps 'header()' method).
I think your solution is
header("location:/publications.php?1.articles.view.547");
You can use .httaccess, but if you want the user should go on that page you cant use it because it will redirect you before reading any code on that page, but header() will first read the code and if any code is something not good then redirect like this,
if($varisgood){
// not redirect
}
else{
//redirect
}
I'm learning PHP and been looking for this for a while. What I want to achieve is something like so:
if (true/false) {
go to this url;
}
Every time I search terms like php redirects or php links etc., 99% of the time I get something "headers". I read that header redirects can achieve this but no code can go before it, that it must be first on the page else it wont work.
If that's so, then how can I achieve this?
i read that header redirects can achieve this but no code can go before it. that it must be first on the page else it wont work.
That's wrong. There must be no output before this. Thus you have to ensure, that you don't echo, print, ?>something<?php (or whatever) anything before.
if (true) {
header('Location: ' . $url, false, 302);
exit; // Ensures, that there is no code _after_ the redirect executed
}
You can ready everything about it in the official manual. Especially:
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include(), or require(), functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
echo '<script type="text/javascript"> document.location = "http://yoururl.com";</script>'
and this will be executed when this part of script is executed.
You can use this if you need some output before the redirect:
header("refresh: $time_in_seconds; url=$your_url);
You still must call this before output is actually sent however. Send the header, then send your output - the page will "redirect" in the time specified.
Disclaimer: I must admit, I'm not sure what the implications of this are and can't find docs on it, so I can't necessarily recommend it - but I can validate that it works.
I just read this article on tdwtf.com. Generally, it describes an archiving bot destroying things because it ignores headers. I then realized that I don't know how to do security in a page WITHOUT headers. Therefore my question is:
What security measures can i take besides using headers?
I develop mostly in php, so I'm familiar with header("Location: ") function. But what else is out there?
Ideally I'm looking to replace the logic of
if (!$something_important) header("Location: somehereharmless.php");
with something else (more) secure?
This one works pretty well
if (!$something_important) {
header("Location: somehereharmless.php");
exit();
}
Even if it's bot, so it doesn't respect Location, you will call an exit so the execution flow is halted anyway, so no harm
header: location is fine, as long as you include an exit at the end.
You might also want to include a link or something.
I usually use something like this:
<?php
function redirect($url)
{
header('Location: ' . $url);
exit('Redirecting you to: ' . $url . '');
}
redirect('somepage.php');
?>
This way people can't bypass the redirect, and know that they should be redirected.
[Edit]
Also, always use POST when deleting stuff. It is very easy to create a fake GET (for example <img src="http://www.example.org/action.php?do=SetAsAdmin&userid=MyUserId" />).
Make sure all your gets are idempotent
Idempotent means that doing same request many times has the same effect as doing it once.
I'd say that if you have a PHP script that performs some action which only, say, logged-in users should be able to perform, you must put the check for being logged in right there in the very same script, so you can look at it at a glance and see that the code is secured. My rule is that there are only two valid patterns for protecting secured code:
if (user_is_authorized()) {
// restricted code here
}
or Alekc's
if (!user_is_authorized()) {
// send headers or whatever if you want
exit();
}
// restricted code here
To be perfectly honest, I was rather shocked... or at least disappointed... when I read that article - I can't understand how someone came to the conclusion that a website could be secured with HTTP headers. A header is nothing more than some text that your server sends out. It's an instruction that may be followed or ignored by the client at will (at least, you have to think about it that way for security purposes). As far as I'm concerned, outgoing (response) HTTP headers are pretty much useless for security. (This is not counting things like HTTP authentication, where you send a header and get one back in response... but in that case it's the contents of that reply header that you base your security on, not the header you sent out.)
The reason for the incident reported in the link you provided was the missing exit; statement after the header();. The bot can't do any harm if the script stops.-
if (!$something_important) {
header("Location: somehereharmless.php");
//close all your db connections and other stuff you need to end..parhaps calling a function?
die("If the redirect doesnt start in 3 seconds, please click here");
}
Your solution is
<?php
die($errormessage);
Die will just halt your script, not go through start, don't collect any data that you shouldn't.
Addition to Alekc's answer. If you have many header("Location:") statements and the person qualifies for them all. The last one will fire.
if($foo && $bar)
{
header("Location: somehereharmless.php");
}
if($foo && $baz)
{
header("Location: someotherplace.php");
}
So if that user has all 3 variables set, he will get redirected to someotherplace.php. Unless you have an exit(); or a die(); after the header();