Anti-URL code not exactly perfect yet...

[BLiZZaRD]

I have been working on a code to eliminate the use of the URL to gain access to certain pages.

Basically there is a series of pages on site that have 4 password boxes per. Based on the answer you type in the pass box you will be taken to another page. The importance of this is the sequence, we don't want people seeing step 12 if they haven't been to step 5.

So I want to try to eliminate Joe posting the URLs to the 12 steps on his site and then Mary deciding she doesn't want to bother with step 5 skip to step 11.

If that makes sense.

Anyway I have this code so far:

PHP Code:

<?php
if(isset($_POST['id'])) {
  $p = array(
    array('RED', '/red/index.php'),
    array('BLUE', '/blue/index.php'),
    array('YELLOW', '/yellow/index.php'),
    array('GREEN', '/green/index.php')
  );
  if(!isset($p[$_POST['id']])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php");
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']);
  else
    header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/cheater.php');
} else {
?>

And for each of the 4 pass boxes:

PHP Code:

<table>
<tr>
<td>
<font size= "4">Red Answer is RED</font>
<form action="<?=$PHP_SELF?>" method="post">
<input type="hidden" name="id" value="0"/>
<input type="password" name="pass"/>
<input type= "submit" value= "Red Answer!"/></form>
</td>
</tr>
</table></center>

So, obviously if you enter RED in the passbox, you will go to mysite.com/red/index.php and if you just type "mysite.com/red/index.php" into your URL you will go to the cheater.php page.

HOWEVER... if you type "mysite.com/red/index.php?pass=RED" into the URL you will go to the red/index.php page...

Is there something I can do to eliminate the ?pass=RED part of the posting in the URL? I don't care if it is needed, just don't want it to show up in the actual URL for Joe, to copy and put on his site.

I am still foggy on the Post/Get thingy, would that help?


<EDIT>
I forgot to mention, I have the "check" on the /red/index.php, again with the next 4 passboxes ready to go, as follows:

PHP Code:

<?php
if(!isset($_GET['pass']) || $_GET['pass'] !== "RED")
  header('Location: http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/cheater.php');
if(isset($_POST['id'])) {
  $p = array(
    array('RED', '/red/index.php'),
    array('BLUE', '/blue/index.php'),
    array('YELLOW', '/yellow/index.php'),
    array('GREEN', '/green/index.php')
  );
  if(!isset($p[$_POST['id']])) header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . "/index.php");
  if($_POST['pass'] === $p[$_POST['id']][0])
    header('Location: http://' . $_SERVER['HTTP_HOST'] . $p[$_POST['id']][1] . '?pass=' . $_POST['pass']);
  else
    header("Location: " . 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/')) . '/cheater.php');
} else {
?>

[blm126]

$_GET[pass'] should be $_POST['pass']

[BLiZZaRD]

No, that doesn't work either... If I do that it gets redirected to the cheater.php sure, but it ALSO goes there if you put the answer in the passbox.. YIKES!!

[Twey]

Then in the form, you must be using GET. Set method="post" on all the forms involved.

[BLiZZaRD]

Nope, all are method="post"

The only place GET shows up in any of them is here:

PHP Code:

if(!isset($_GET['pass']) || $_GET['pass'] !== "RED") 


and this on ON index.php (the page you go to with a correct answer).

[Twey]

Then you must have an equivalent form posting to that page using GET, or that code wouldn't work. Convert it to POST.

[BLiZZaRD]

Yes, I will eventually have 4 pages linking to each other page in the same way. I will convert ALL to POST and see what happens. Thanks!

[BLiZZaRD]

AHA! Okay I figured it out but I don't know how to fix it.

WhenI originally got this script working it was on the first page at http://mysite.com/page.php

Then (using the RED answer as example) when RED was put in the correct box, you went to http://mysite.com/red/index.php

However, when I started making the actual pages this wasn't the case. The whole thing will be in it's own folder, so /red/ will be a sub-folder.

Meaning the first page will be at http://mysite.com/folder/page.php and when RED is entered you will be taken to http://mysite.com/folder/red/index.php

So the error is in the header directs somewhere in all that very confusing . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'] stuff!

What do I need to add to the codes to allow for the folder and sub folder stuff?

---------------------------------------------------------------------------

I have tried it with

Code:

$_SERVER['SCRIPT_FILENAME']

as that is the closest thing I could understand from this page

But it didn't work. What am I doing wrong???

[djr33]

Can you put these pages up to test?
Too tired to figure it out right now.

[BLiZZaRD]

Sorry, lost all my new post icons.

What do you mean put them up to test? I have an example page on one of my dead sites.. you can find the page HERE but I don't see how that will help with the problem, its all php coding, so you wont get much from there.

As you can see you can use the main page (with the multi colored image) to go to any of the four. You can also go to any of the four if you put "/red/index.php?pass=RED" (sub red and RED for any of the four colors) this is what I want to avoid...

I am thinking of other ways to do this as well though...