PDA

View Full Version : PHP Redirect doesn't work - UPDATE: Safety of @extract($_POST);



dl33
09-22-2007, 05:53 PM
EDIT: Scroll down for a follow up problem related to the safety of @extract($_POST);

Hi all,

I set up a php redirect resulting from two dropdown select menus. Here is the code:


<?php
@extract($_POST);
$quickarchive_date = stripslashes($quickarchive_date);
$quickarchive_categories = stripslashes($quickarchive_categories);
if ( $quickarchive_categories == "C" && $quickarchive_date == "#" ) {
$url = "http://www.mysite.com/weblog/archive_2/";
} elseif ( $quickarchive_categories != "C" && $quickarchive_date == "#" ) {
$url = "http://www.mysite.com/weblog/archive_2/".$quickarchive_categories."/" ;
} else {
$url = "http://www.mysite.com/weblog/archive_2/".$quickarchive_categories."/".$quickarchive_date ;
}
header("HTTP/1.1 301 Moved Permanently");
header("Location: $url");
?>

This doesn't work. What do I have to change in order to make it work and keep the same functionality.
Thanks, dl33

Twey
09-22-2007, 07:16 PM
@extract($_POST);Ugh! You might as well just have register_globals on!

What do you mean by "doesn't work?"

insanemonkey
09-22-2007, 07:17 PM
I think you could do that in html and it would be a little easyier in html..

djr33
09-22-2007, 07:45 PM
Huh? No...


Well, the code must be sent (using http headers) before any content on the page. Do you have any html output before that?

Can you link us to the page?

dl33
09-22-2007, 09:27 PM
The code above is the only code in the document. I know that it works as far as outputting žurl, since I tried echoing it before I put the redirect statement in.
However, as soon as I try redirecting using header(), it doesn't work, as in doesn't redirect me: The browser gives me a blank page (which makes sense, since the php code doesn't echo anything). Safari gives me the following response:


Safari can’t open the page “http://URL/_archive_php_rewrite”. The error was: “bad server response” (NSURLErrorDomain:-1011) Please choose Report Bugs to Apple from the Safari menu, note the error number, and describe what you did before you saw this message.

Sorry, but I am a complete PHP noob, so please take it easy with me...

Judging from the comment about register globals, I assume that this script is not that safe: Is there a better way of doing what I want to do? Thanks...

Oh and about doing this in html, I am not aware of it, please help me out. I know that one can redirect users in javascript, but I would like to stay javascript independed.

This code is being created for a weblog archive. Users can use two drop-down lists to browse it: Unfortunately, the /?etc=bla syntax that classical forms use doesn't work with my publishing platform, so I have to rewrite it.

thetestingsite
09-22-2007, 09:39 PM
Your best bet would be to do the following:



<?php
$quickarchive_date = stripslashes($_POST['quickarchive_date']);
$quickarchive_categories = stripslashes($_POST['quickarchive_categories']);
if ($_POST['quickarchive_categories'] == "C" && $_POST['quickarchive_date'] == "#" ) {
$url = "http://www.squawkdesign.com/weblog/archive_2/";
} elseif ( $_POST['quickarchive_categories'] != "C" && $_POST['quickarchive_date'] == "#" ) {
$url = "http://www.squawkdesign.com/weblog/archive_2/".$_POST['quickarchive_categories']."/" ;
} else {
$url = "http://www.squawkdesign.com/weblog/archive_2/".$_POST['quickarchive_categories']."/".$_POST['quickarchive_date '];
}
header("Location: $url");
?>


Not tested, but should work.
Hope this helps

dl33
09-22-2007, 09:46 PM
Actually, I just found the answer myself: Since I am working with ExpressionEngine I HAVE to add exit; at the end of my code. Don't know why, but my code works now.

However, I still have one more question regarding the safety of @extract($_POST);
Anyone?

thetestingsite
09-22-2007, 11:01 PM
I still have one more question regarding the safety of @extract($_POST);

And your question is?

dl33
09-22-2007, 11:04 PM
How safe is it? And if it isn't safe, how can I make it safer?

djr33
09-22-2007, 11:26 PM
register_globals is on for many servers.

The issue is fairly simple. POST, GET and COOKIE variables will then be real variables. In this case, just POST.
ie, $_POST['whatever'] will set $whatever to the same value.

The safety concern is that anyone could inject any variable they want with a custom form to the page.

Using that means any variable can be set to something when the script starts. So if you check if a variable is set, and it is then through that, it will keep that value.

for example, it could be a problem if you had:
<?php
if (isset($delete)) {
unlink($delete);
}
?>

And they could delete any file on your server.

But that is an extreme case. Only an issue if you have a vulnerability like that in the script.

I'd recommend just using $_POST['name'], rather than $name.

dl33
09-23-2007, 12:01 AM
Thanks for the reply, djr33. So is the code as I have it now safe or do I have to change something about it. I mean, I get what you just explained, but I do not think that I can apply it yet to my own code.
What I have now is


<?php
@extract($_POST);
$quickarchive_date = stripslashes($quickarchive_date);
$quickarchive_categories = stripslashes($quickarchive_categories);
if ( $quickarchive_categories == "C" && $quickarchive_date == "#" ) {
$url = "http://www.mysite.com/weblog/archive_2/";
} elseif ( $quickarchive_categories != "C" && $quickarchive_date == "#" ) {
$url = "http://www.mysite.com/weblog/archive_2/".$quickarchive_categories."/" ;
} else {
$url = "http://www.mysite.com/weblog/archive_2/".$quickarchive_categories."/".$quickarchive_date ;
}
header("HTTP/1.1 301 Moved Permanently");
header("Location: $url");
exit;
?>

djr33
09-23-2007, 12:25 AM
What are you using from the post data?
Remove @extract(... and replace any references to these newly created variables with $_POST['thatname'] instead.
That's about it.
In that case, it seems safe enough, probably.