Hi there.

I have a FAQ script which has many options with a value of say, /faq/foo.php?id=3, when the "go" button is clicked this goes to a file called redirect.php (the action of the form is redirect.php) which then loads that URL.

To do this in redirect.php I'm using:

if(isset($_POST["menu"])) { header("Location: " . $_POST["menu"]); }

This is working fine, however I don't know whether I've implemented enough security in this. Can you provide any feedback or improvements?

Many thanks!

that appears to be quite useless unless your counting the visits.

Huh?...

I'm using it this way, a form such as:


<form action="/redirect.php" method="post">
<p><select name="menu">
<option value="" selected="selected">Please select a question</option>
<option value="/faq/cservice.php?id=1">1. foo</option>
<option value="/faq/cservice.php?id=2">2. foo</option>
<option value="/faq/cservice.php?id=3">3. foo</option>
<option value="/faq/cservice.php?id=4">4. foo</option>
<option value="/faq/cservice.php?id=5">5. foo</option>
</select> <input type="submit" name="submit" value="Go" /></p>
</form>


which when an option is selected and submitted to redirect.php the url of the value will load...?

Thanks.

I don't understand the need for this either. Why don't you use links instead? Unless your populating the drop down menu dynamically there is no need for php.

That said I would probably validate that the form variable that is sent is the actual variable that you intend to be used and if it isn't give them an error. Because what you have now only checks to see that there is something being passed not what is actually passed.

OK. I don't think anyone could mess with your system like that anyway.

Thanks for your replies. :)

The reason we're using a select menu is because of the amount of questions there actually are, on that paste I only showed 5, but there's many more, and it was the viable way to present the FAQ's politely and tidy.

with an faq wouldn't it be easier to use anchors?
That way the user could read all the info on one page as oposed to several, having to click back time and time again.

Originally posted by scragar
OK. I don't think anyone could mess with your system like that anyway.

Allow me to put too much in there and I can crash the entire script maybe the site depends though. This is why I say to validate the user input before executing the script.

You might want to put in a check that the referrer is your menu page. For further protection you could check that the value received is a valid option: you could simply have an array of valid links and use in_array() to validate, or keep them in a database and check it, etc. In fact, you could use the same include file to store these values and use it both to populate the select options and to validate them upon submission.

Hi there.
Thanks for your replies.

I've tried to look at some of the things mentioned, however I am no closer to securing this code.
Are there any examples you can give?

I have no issue with 'limits' - the FAQ's we have on that one is 31, so I guess we could use something like:

if ($id <= 31 && $id >= 1)

Any advice would be greatly appreciated. :)

Hi,

I don't really understand the reason for the redirect page either, but if you really want to use it then you could do some basic validation of the input and allow yourself to add a few more pages without having to alter the redirect the whole time. Something like
if (eregi("[0-9]{1,2}",$id)) {
...
}

and then check if
file_exists()

Or is this actualy a db driven site? It sounds like a fake dynamic site from here, I'm really intrigued as to the workings of your site now :)

I wouldn't bother checking the referring page as it can be unreliable, some people like to hide it and then they won't be able to use your site - even though they are within it you'll give them a message to go away or something. OTOH I really hate people hiding their referrers so maybe we should all stop them using our sites until they turn it back on :D

hth

Andy

edit: added an r to you and the referrer bit

Hey.
Thanks for your reply.

Okay to answer your qu and to put your mind at ease, here's what I'm using for my FAQ's. I don't use a proper DB for this, only .html files for the answers.


<?php
include('/home/me/header.php');
?>

<div>
<p>Please select your question:</p>

<form action="/redirect.php" method="post">
<p><select name="menu">
<option value="" selected="selected">Please select a question</option>
<option value="/faq/index.php?id=1">question</option>
<option value="/faq/index.php?id=2">question</option>
<option value="/faq/index.php?id=3">question</option>
<option value="/faq/index.php?id=4">question</option>
<option value="/faq/index.php?id=5">question</option>
</select> <input type="submit" name="submit" value="Go" /></p>
</form>
</div>

<?php

$id = (int)$_GET['id'];
if ($id <= 31 && $id >= 1) {

$info = "/home/me/faq/ans/$id.html";

if (file_exists($info)) {
readfile($info);
} else {
echo "<p class=\"error\">Sorry, that answer doesn't exist. Please try again.</p>\n";
}

}
?>

<?php
include('/home/me/footer.php');
?>


As there are a lot more questions than just 5, this is the reason for the select menu, as having them as text would make the whole thing look so messy. I know I could accomplish this with Javascript as simple redirect - but I wanted to use PHP as it's reliable.

Is this a bit clearer now? :)

I'm not sure it's really any clearer to me, but you're obviously quite determined and I'm probably missing something so:

you're mixing your methods a bit there. You have a POST in the form and a GET in the 'receiver'. You could use this instead -
<option value="1">question</option>
<option value="2">question</option>
<option value="3">question</option>
<option value="4">question</option>
<option value="5">question</option>
this will then send on the value selected as 'menu'. Grab this on your redirect page with something like $wanted=(isset($_POST['menu']))?$_POST['menu']:"nada";

and then redirect based on the value of $wanted.

hth

Andy

- I agree on your decision to avoid JavaScript wherever possible :)

<form action="/redirect.php" method="post">
$id = (int)$_GET['id'];

That is probably a major source of your trouble there. You should have put that up there to begin with lol :D

BeachSide could you explain that a little please? I'm not quite sure how you mean / what it means.

Many thanks.

No problem, when a user submits a form they usually either do it via the POST or GET method. The GET method adds to the end(appends) of the url to pass the information from the form. I'm sure you have seen it before it is the stuff after a ? like this http://somewhere.com?s=&action=newreply&threadid=55236 you have to use $_GET to parse that information. Or there is POST which passes the information by magic :D j/k it passes the info with the request for the page and stores it in the $_POST array. You cannot mix and match the two... sortof... you could do something like if(isset($_POST) {
Something happens
}
if(isset($_GET){
Do something as well
}
else {
do something if the first two are false
}

Although I wouldn't recommend doing this.

Hope that helped!