Anti-URL code not exactly perfect yet...

Printable View

09-22-2006, 09:33 AM
BLiZZaRD

Anti-URL code not exactly perfect yet...

I have been working on a code to eliminate the use of the URL to gain access to certain pages.

Basically there is a series of pages on site that have 4 password boxes per. Based on the answer you type in the pass box you will be taken to another page. The importance of this is the sequence, we don't want people seeing step 12 if they haven't been to step 5.

So I want to try to eliminate Joe posting the URLs to the 12 steps on his site and then Mary deciding she doesn't want to bother with step 5 skip to step 11.

If that makes sense.

Anyway I have this code so far:

PHP Code:

<?php if(isset($_POST['id'])) { $p = array( array('RED', '/red/index.php'), array('BLUE', '/blue/index.php'), array('YELLOW', '/yellow/index.php'), array('GREEN', '/green/index.php') ); if(!isset($p[$_POST['id']])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php"); if($_POST['pass'] === $p[$_POST['id']][0]) header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']); else header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/cheater.php'); } else { ?>

And for each of the 4 pass boxes:

PHP Code:

<table> <tr> <td> <font size= "4">Red Answer is RED</font> <form action="<?=$PHP_SELF?>" method="post"> <input type="hidden" name="id" value="0"/> <input type="password" name="pass"/> <input type= "submit" value= "Red Answer!"/></form> </td> </tr> </table></center>

So, obviously if you enter RED in the passbox, you will go to mysite.com/red/index.php and if you just type "mysite.com/red/index.php" into your URL you will go to the cheater.php page.

HOWEVER... if you type "mysite.com/red/index.php?pass=RED" into the URL you will go to the red/index.php page...

Is there something I can do to eliminate the ?pass=RED part of the posting in the URL? I don't care if it is needed, just don't want it to show up in the actual URL for Joe, to copy and put on his site.

I am still foggy on the Post/Get thingy, would that help?

<EDIT>
I forgot to mention, I have the "check" on the /red/index.php, again with the next 4 passboxes ready to go, as follows:

PHP Code:

<?php if(!isset($_GET['pass']) || $_GET['pass'] !== "RED") header('Location: http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/cheater.php'); if(isset($_POST['id'])) { $p = array( array('RED', '/red/index.php'), array('BLUE', '/blue/index.php'), array('YELLOW', '/yellow/index.php'), array('GREEN', '/green/index.php') ); if(!isset($p[$_POST['id']])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php"); if($_POST['pass'] === $p[$_POST['id']][0]) header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']); else header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/cheater.php'); } else { ?>
09-22-2006, 11:14 AM
blm126

$_GET[pass'] should be $_POST['pass']
09-22-2006, 11:19 AM
BLiZZaRD

No, that doesn't work either... If I do that it gets redirected to the cheater.php sure, but it ALSO goes there if you put the answer in the passbox.. YIKES!!
09-22-2006, 01:41 PM
Twey

Then in the form, you must be using GET. Set method="post" on all the forms involved.
09-23-2006, 05:23 AM
BLiZZaRD

Nope, all are method="post"

The only place GET shows up in any of them is here:

PHP Code:

if(!isset($_GET['pass']) || $_GET['pass'] !== "RED")

and this on ON index.php (the page you go to with a correct answer).
09-23-2006, 02:12 PM
Twey

Then you must have an equivalent form posting to that page using GET, or that code wouldn't work. Convert it to POST.
09-24-2006, 07:50 AM
BLiZZaRD

Yes, I will eventually have 4 pages linking to each other page in the same way. I will convert ALL to POST and see what happens. Thanks!
09-24-2006, 01:25 PM
BLiZZaRD

AHA! Okay I figured it out but I don't know how to fix it.

WhenI originally got this script working it was on the first page at http://mysite.com/page.php

Then (using the RED answer as example) when RED was put in the correct box, you went to http://mysite.com/red/index.php

However, when I started making the actual pages this wasn't the case. The whole thing will be in it's own folder, so /red/ will be a sub-folder.

Meaning the first page will be at http://mysite.com/folder/page.php and when RED is entered you will be taken to http://mysite.com/folder/red/index.php

So the error is in the header directs somewhere in all that very confusing . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'] stuff!

What do I need to add to the codes to allow for the folder and sub folder stuff?

---------------------------------------------------------------------------

I have tried it with

Code:

$_SERVER['SCRIPT_FILENAME']

as that is the closest thing I could understand from this page

But it didn't work. What am I doing wrong???
09-29-2006, 09:07 AM
djr33

Can you put these pages up to test?
Too tired to figure it out right now.
10-03-2006, 09:45 AM
BLiZZaRD

Sorry, lost all my new post icons.

What do you mean put them up to test? I have an example page on one of my dead sites.. you can find the page HERE but I don't see how that will help with the problem, its all php coding, so you wont get much from there. :D

As you can see you can use the main page (with the multi colored image) to go to any of the four. You can also go to any of the four if you put "/red/index.php?pass=RED" (sub red and RED for any of the four colors) this is what I want to avoid...

I am thinking of other ways to do this as well though...
10-03-2006, 10:42 AM
djr33

hmm... can't you just check the $_SERVER[HTTP_REFERER and be done with it?
10-03-2006, 11:52 AM
BLiZZaRD

Well, that is the reason for the thread.. I don't understand that stuff.. the $_SERVER blah blah blah..

I have tried reading about them on php.net and there is a lot of good information, but I have no idea what it is talking about.

Every time I tried something that sounded like it would be it, the code broke..

I have no idea
10-04-2006, 01:42 AM
djr33

Well, from what I understand, the referer is the page from which you clicked a link.
I'd guess it would equate to an empty string if you manually typed the address.
Therefore, we can assume that a simple if statement would check that.
if ($_SERVER[HTTP_REFERER] != "http://blah") { die("You can't be here!!!"); }
10-04-2006, 03:02 AM
blm126

$_SERVER['HTTP_REFERER'] is unreliable as many "security" software packages strip or fake it when sending the HTTP headers. If you could post exactly what you to happen I will be able to help more.
10-04-2006, 03:15 AM
djr33

Ah, but they couldn't fake what you want.
But the security packages would hide it, so people wouldn't get in if they should?
Interesting.
I'd just use a session.

Store the sessions in a database. Check that the IP matches the session ID, or something is wrong.
Next, at the top of each page, give the session variable "location" a value representing the current page, like "red".
After that, just check on the next page if that session variable (and the session id/IP address) are valid.
The only other thing is to make sure you randomize the session ids, so they can't come back later with a matching IP/ID and use that link.
Should be easy. Theoretically.
10-04-2006, 05:37 AM
BLiZZaRD

I am trying to piece this together in my spare time (which isn't a lot right now) But here is exactly what I want:

A visitor will come to the site.

They will go to the registration page and make a username and password. Using this information they will be signed into the forum (I believe I will be running phpbb2) and taken to their own personal page.

They then click begin, and are taken to that first page. Once they enter an answer in any box I would like them to be taken to another random page (there will be 100 in total)

Meanwhile, I would like to prevent any and all direct URL access, and even better, preventing the passwords etc from showing up in the URL. This of course is secondary if the SQL can make the next page viewed completely random.

I would need the SQL to also keep track of which pages they have visited as well as which answers they have input correctly. (out of the 4 per page)

This way they can be taken to the same page 50 times if needed, but never again after inputing the 4 correct answers.

Does any of this make sense? I know what I mean, LOL

The problem with sessions is that getting all answers correct could take months, and I don't want them to have to start over every time they clear their cache.
10-04-2006, 09:38 AM
djr33

Ah.
Hmm... perhaps rethink the design a bit so it's somewhat easier.
Interesting.
I'll let you know if I have any thoughts.
Since you're already using usernames/passwords, you could just do it that way.
Additionally, you could use php to generate a random page, and just have the index (or whatever) show that random page... so it would ALWAYS be random... and you could direct link, but that would be random.
Add a user/pass check, and that should be close.
10-04-2006, 10:09 AM
BLiZZaRD

Yeah I thought of that too, but I thought MySQL might help with the storage and tracking.

The idea is well played out in my head, but by the time it makes it to my fingers and out into a post it loses some of it's gloss and understanding.

I will work on writing out a full detailed idea with exactly everything that I want to accomplish. I know ALL of it is possible, I have seen it, just not all together, LOL

Thanks for looking, I will try to make a more coherant post in a few minutes when work dies down. :p