PHP Redirect doesn't work - UPDATE: Safety of @extract($_POST);

**dl33** · 09-22-2007, 05:53 PM

EDIT: Scroll down for a follow up problem related to the safety of @extract($_POST);

Hi all,

I set up a php redirect resulting from two dropdown select menus. Here is the code:

Code:

<?php
	@extract($_POST);
	$quickarchive_date = stripslashes($quickarchive_date);
	$quickarchive_categories = stripslashes($quickarchive_categories);
	if ( $quickarchive_categories == "C" && $quickarchive_date == "#" ) {
		$url = "http://www.mysite.com/weblog/archive_2/";
	} elseif ( $quickarchive_categories != "C" && $quickarchive_date == "#" ) {
			$url = "http://www.mysite.com/weblog/archive_2/".$quickarchive_categories."/" ;
	} else {
		$url = "http://www.mysite.com/weblog/archive_2/".$quickarchive_categories."/".$quickarchive_date ;
	}
	header("HTTP/1.1 301 Moved Permanently"); 
	header("Location: $url");
?>

This doesn't work. What do I have to change in order to make it work and keep the same functionality.
Thanks, dl33

**Twey** · 09-22-2007, 07:16 PM

@extract($_POST);

Ugh! You might as well just have register_globals on!

What do you mean by "doesn't work?"

**insanemonkey** · 09-22-2007, 07:17 PM

I think you could do that in html and it would be a little easyier in html..

**djr33** · 09-22-2007, 07:45 PM

Huh? No...

Well, the code must be sent (using http headers) before any content on the page. Do you have any html output before that?

Can you link us to the page?

**dl33** · 09-22-2007, 09:27 PM

The code above is the only code in the document. I know that it works as far as outputting §url, since I tried echoing it before I put the redirect statement in.
However, as soon as I try redirecting using header(), it doesn't work, as in doesn't redirect me: The browser gives me a blank page (which makes sense, since the php code doesn't echo anything). Safari gives me the following response:

Safari can’t open the page “http://URL/_archive_php_rewrite”. The error was: “bad server response” (NSURLErrorDomain:-1011) Please choose Report Bugs to Apple from the Safari menu, note the error number, and describe what you did before you saw this message.

Sorry, but I am a complete PHP noob, so please take it easy with me...

Judging from the comment about register globals, I assume that this script is not that safe: Is there a better way of doing what I want to do? Thanks...

Oh and about doing this in html, I am not aware of it, please help me out. I know that one can redirect users in javascript, but I would like to stay javascript independed.

This code is being created for a weblog archive. Users can use two drop-down lists to browse it: Unfortunately, the /?etc=bla syntax that classical forms use doesn't work with my publishing platform, so I have to rewrite it.

**thetestingsite** · 09-22-2007, 09:39 PM

Your best bet would be to do the following:

Code:

<?php
$quickarchive_date = stripslashes($_POST['quickarchive_date']);
$quickarchive_categories = stripslashes($_POST['quickarchive_categories']);
if ($_POST['quickarchive_categories'] == "C" && $_POST['quickarchive_date'] == "#" ) {
$url = "http://www.squawkdesign.com/weblog/archive_2/";
} elseif ( $_POST['quickarchive_categories'] != "C" && $_POST['quickarchive_date'] == "#" ) {
$url = "http://www.squawkdesign.com/weblog/archive_2/".$_POST['quickarchive_categories']."/" ;
} else {
$url = "http://www.squawkdesign.com/weblog/archive_2/".$_POST['quickarchive_categories']."/".$_POST['quickarchive_date '];
}
header("Location: $url");
?>

Not tested, but should work.
Hope this helps

**dl33** · 09-22-2007, 09:46 PM

Actually, I just found the answer myself: Since I am working with ExpressionEngine I HAVE to add exit; at the end of my code. Don't know why, but my code works now.

However, I still have one more question regarding the safety of @extract($_POST);
Anyone?

**thetestingsite** · 09-22-2007, 11:01 PM

Originally Posted by dl33

I still have one more question regarding the safety of @extract($_POST);

And your question is?

**dl33** · 09-22-2007, 11:04 PM

How safe is it? And if it isn't safe, how can I make it safer?

**djr33** · 09-22-2007, 11:26 PM

register_globals is on for many servers.

The issue is fairly simple. POST, GET and COOKIE variables will then be real variables. In this case, just POST.
ie, $_POST['whatever'] will set $whatever to the same value.

The safety concern is that anyone could inject any variable they want with a custom form to the page.

Using that means any variable can be set to something when the script starts. So if you check if a variable is set, and it is then through that, it will keep that value.

for example, it could be a problem if you had:
<?php
if (isset($delete)) {
unlink($delete);
}
?>

And they could delete any file on your server.

But that is an extreme case. Only an issue if you have a vulnerability like that in the script.

I'd recommend just using $_POST['name'], rather than $name.

Thread: PHP Redirect doesn't work - UPDATE: Safety of @extract($_POST);

Thread Tools

Search Thread

PHP Redirect doesn't work - UPDATE: Safety of @extract($_POST);

Bookmarks

Bookmarks

Posting Permissions