I have a PHP page on a website that I'd like to be accessible only from another page on that website.
If a user clicks a link to the page, or types the page's address, and does not come from the site's domain, I'd like the page to redirect the user to the index.
Any ideas?
What you could do is use sessions.
make the index set a variable
$_SESSION['visitedIndex'] = TRUE;
and testing for it in the other pages:
if(!$_SESSION['visitedIndex']) {
header('location: ....');
}
make sure you do this before the first echo.
You could also create an internal service using a $hash = timestamp + internal secret key or your paricular rule.
First page has a link
http://www.samesite.com/page_2.php?param=hash
Second page decodes the hash and check the timestamp against a given interval. Otherwise it refuses the display.
As only you know the internal key is impossible to fake.
Check 'Referer' field?
It's easily hackable, tho. The more reliable way is to check if the used had no active session (if your site assigns them to visitors).
Use the referer fo this:
if ($_SERVER['HTTP_REFERER'] != "...") {
header("LOCATION: othersite");
}
Related
For example, I have a page called profile_page.php. This page is only functional if data is written after the ?u= in the URL, for example, data for Alice's profile page can only be seen when the URL reads http://localhost/profile_page/alice.
Loading http://localhost/profile_page will give me undefined variable errors as most of my variable's are depending on the URL to have a value after the ?u=. For example, the variable $firstname can only be gathered when I get her username in the URL.
In such a case, when http://localhost/profile_page, I would rather have it redirect the user to their own profile_page, but I don't know how I can test the URL and parse it through an if statement.
I understand you can use $u=$_GET['u']; to obtain the current page URL? but I don't think doing this, is the best way to go about it:
$u=$_GET['u'];
if ($u == "http://localhost/profile_page/"){
// redirect to logged in users page code here
}
First, if you are using some parameter for your page to build, the url would looks like httlp://localhost/profile_page.php?firstname=alice&lastname=brown, with $_GET['firstname'] you will get alice in this case. If you want to test if the parameter is set first and redirect to another page if it is not set, you could use
if(!isset($_GET['firstname'])
{
header('Location:redirected_page.php');
}
Is there some sort of PHP code that allows me figure out which of the two pages was last visited.
Here is why i need it.
I have 3 pages called:
user-management.php, manage-membership.php and manage-user.php
There are two ways of getting to manage-user.php. One is to click on the name of the user in user-management.php and the other is to click on the membership account holder in membership-management. Both user-management and membership-management are completely different pages so please don't tell me to merge them to make it easier, because it won't get easier.
What i want to do is track where i'm coming from.
For example, if i'm going to manage-user.php from user-management.php, when all the editing is done, i want it to redirect back to user-management.php, and the same for membership-management.
How do i check to see which of the two pages I came from and redirect back to those pages accordingly?
Have each of your scripts record their name in the $_SESSION, so you're keeping track of where you came from:
user-management.php:
$_SESSION['came_from'] = 'user-management.php';
and then in your manage-user.php script:
Back
This is more reliable than using the HTTP referer, because not everyone sends refers, or sends the ACTUAL referer.
you could use $_SERVER['HTTP_REFERER'];
But this is not so safe, better store the page in a session and
check it then.
session_start();
...
$_SESSION['log'][] = $_SERVER['PHP_SELF'];
...
if ($_SESSION['log'][count($_SESSION['log'])-1] == "xxx") {
do code...
}
Tried this? -> $_SERVER["HTTP_REFERER"]
You can read more from this: http://www.electrictoolbox.com/php-http-referer-variable/
You could use $_SERVER['HTTP_REFERER']; but the user can also set their browser to not send the referer header. You could also do something like this:
At beginning of page:
session_start();
$lastVisited = $_SESSION['last_visited'];
At end:
$_SESSION['last_visited'] = $thisPagename;
I have index.php that include pages like
<?php
define('MyConst', TRUE);
include_once('template/header.php');
if (!empty($_GET['action'])) {
$action = $_GET['action'];
$action = basename($action);
include("template/$action.php");
} else {
include("template/main.php");
}
include_once('template/footer.php');
?>
With in a template directory I have main.php which has link to other pages like page1.php, page2.php.
Goto page 1
Goto page 2
How could I prevent users form accessing pages directly typing "http://mydomain.com/?action=page1" on the URL? And redirect them to main.php if they have done it?
You can not. What you want is simply not possible.
For the server side there is no way to know whether an URL is typed or clicked.
If I understand correctly, the thing you want is to prevent the user to access http://example.org/?action=page1 unless they came from http://example.org/?action=main. To do that, you must be able to detect whether they came from http://example.org/?action=main. The safest way to do that is to generate some random value that you associate to the users when they access http://example.org/?action=main and to check whether there is a correct value associated to the users when they want to access http://example.org/?action=page1. If not, they tried to access that page directly.
Check for HTTP_REFERER and if it is not pointing to right values (like your meny page) then redirect user.
Maybe you can try this, On your index.php :
session_start();
if(! isset($_GET['action']))
{
$_SESSION['pageAccess'] = true; # Set the key whatever you want
}
then under that script (we need that session_start() used twice) :
if(isset($_GET['action']))
{
if(! isset($_SESSION['pageAccess']) || ! $_SESSION['pageAccess'])
exit('There is no direct access allowed.');
}
Hope this help, have a nice day.
As per your Question:
There are two approaches that you can follow:
Use HTTP_REFFRER and check on desired page if User is coming from the page u wanted. IF he is accessing the direct URL then show him error page.
Use $_SESSION but this approach can be harmful as SESSION will always be there untill browser / instance closed.
So better to go for 1st approach.
And also as per Pehaa, you can not check id URL is typed
Ok so when somebody types this into the URL mywebsite.com/?s1=affiliateid
I want to take the affiliateid part out of the URL. Every affiliate will put a different username into the address.
Then I want to create a link will point to differentwebsite.com/?id=affiliateid based on the username typed into the address bar.
Now so far, I know that I have to have something like this will get that affiliate id
$aff_id = $_GET['s1'];
Then I can use that variable to create a link or just redirect it to the next page
differentwebsite.com/?id=$aff_id
My question is, where do I place this code at? $aff_id = $_GET['s1'];
Do I have to make a page called ?s1.php or something?
Assuming s1 isn't used anywhere else but just to create a link:
<?php
$s1 = isset($_GET['s1']) && !empty($_GET['s1'])
? $_GET['s1'] // it's populated, use the passed value
: ''; // default value in case it's not present
//
// Maybe check $s1 is indeed valid
//
$newurl = sprintf('http://differentwebsite.com/?id=%s', urlencode($_GET['s1']));
?>
Then you can output that link somewhere on the page, like:
New Url Here
urlencode will make sure that if s1 has characters like &, =, ?, / (or others) it won't break the integrity of the url.
If you want the concise approach:
<a href="http://differentwebsite.com/?id=<?= urlencode($_GET['s1']); ?>">
New Url Here
</a>
You could place $aff_id = $_GET['s1'] anywhere before you want to use $aff_id. I tend to put stuff like that at the top of the page.
Or, simply put. "differentwebsite.com/?id=$_GET['id']"
I would suggess you do a check to see if the id parameter exists in the URL before you try to use it. Maybe even make sure it is the data type you expect, integer, string, etc. So as when you redirect users, you don't send them somewhere else in a broken way.
If you are not using this for SQL then no SQL Injection could occur #BlackHatShadow.
Append the $aff_id that you get from mywebsite.com to the url of the new web site. Presumably, $newurl = "differentwebsite.com/?id=".$aff_id.
Edit:
Do I have to make a page called ?s1.php or something?
You need to make a page that the user will land on when they hit the url: www.mywebsite.com/
I assume you are running a web server that can process PHP code. The code can go into a file called index.php in your server's document root directory. If you don't know what this is, I suggest googling a "how to" guide for your specific server.
Get the value of "s1" from the url and store it in $aff_id:
$aff_id = $_GET['s1'];
If you want to pass this variable into another web site which accepts an "id" parameter, then you can simply append $aff_id to the new web URL and redirect the user there.
Redirect the user to differentwebsite.com and also sends the $aff_id from mywebsite.com to the other URL:
header('Location: http://www.differentwebsite.com/?id='.$aff_id);
Im new to this and im trying to rewrite URL so that utm_expid is hidden so if my url is:
http://www.myweb.com/?utm_expid=67183125-2
how would i make it so when user visits
myweb.com
it does not show utm_expid in url
Is this possible using PHP/JS?
NOTE: i cant use RUBY or any other languages except PHP/JS/HTML
There is a way. Just redirect the page to base url once the utm_expid=67183125-2 is got. ie,
if($_GET['utm_expid']) { //header to redirect to myweb.com }
Its a tricky way. Hope you are permitted to use it.
Just start a session and store value in session variable. you can regain it even page is re directed.
ie
<?php
session_start();
if($_GET['utm_expid']) {
$_SESSION['variable_name']=$_GET['utm_expid']
//header to redirect to myweb.com
}
?>
Let me add this Javascript trick that is server agnostic.
if (location.search.indexOf('utm_expid') > -1) {
history.replaceState('page', 'Title', '/')
}
I recommend you to place it at the end of the body.
If you wanted a clean URL (as you do for branding and manual sharing purposes), I'd script it so that you load a full page iFrame which loads the gA test queried URL. That way the user see s the clean URL in the address bar and still see the experiment.
You could use PHP to set up your index page (or any server side, or even client side script).