Javascript used for PHP page direction

Peter B

When calling new pages with PHP I tend to use Javascript.

Examples like

if ($secure_password==mysql_result($result,0,"password"))
{
		  ?>
			<script language="JavaScript">
			location.href = "index.php";
			</script>
		<?
}else{
	?>
		<script language="JavaScript">
		  alert("Wrong Password");
		  history.go(-1);
		</script>
	<?
}

That is fine if I am sure a user of my site has Javascript enabled. What happens if they don't? Is there any other way to get PHP files to proceed to other pages?

What other alternatives do I have?

Thanks in advance

Peter

aidan_walsh

Google "http redirects".

Peter B

Thanks for that aidan.

Have been trying to replace all my location.href = "whatever.php"; to redirect("whatever.php"); by including method below.

function redirect($url) {
	
	session_write_close();
   header('Location: '.$url);
   echo '<a href="'.$url.'">Click here to redirect to '.$url.'</a>';
   exit;
}

I can't find anything to replece the javascript history.go(-1); method.

Also I have a form I need to post my current location to the next page which will use the value as a redirect. However I don't know how to get php to enter my current location in the form.

In the past I was using
<form name="form1" onsubmit="return checks1(this)" action="../login.php">
which called the following javascript.

<script ="javascript">
function checks1()
{
	if (document.form1.id.value == "not")
	{
		alert("Nothing chosen");
		return false;
	}
	document.form1.url.value=location.href;
	return true;
}
</script>

I can see how I can verify document.form1.id.value on my next page but I cannot send the current location as a form value (document.form1.url.value=location.href;)

frost

Peter B wrote:

Have been trying to replace all my location.href = "whatever.php"; to redirect("whatever.php");

Peter, I'm writing a site at the moment and was using location.href reassignment myself. Any there problems with doing a redirect this way that made you decide to change?

Peter B wrote:

Also I have a form I need to post my current location to the next page which will use the value as a redirect. However I don't know how to get php to enter my current location in the form.

You could use the REFERER, or
this will work: <input type="hidden" name="previousPage" value="<?=$_SERVER?>" >

However, I wouldn't recommend it because it is an open invitation for the user to insert something much more interesting into that variable to get access to your server's password files or something.

How about storing a generated GUID in a PHP session; the GUID would be the key to a database table where the url (or whatever else you want to recall) is stored. The user could hack the GUID if he wanted to, but the chances that he could guess a valid one before the data was obsolete would be pretty slim.

Peter B

I've gone for the redirect() method because I have been searching on Google and realise a small proportion of people turn off javascript on their browsers due to security loop holes and just not liking popups.

Maybe it is not worth all the hastle and just sticking with javascript.

Have used
<input type="hidden" name="previousPage" value="<? echo $_SERVER?>" >

Even if someone changes the hidden redirect value their $_SESSION is checked at the start of each new page loading so if they redirect somewhere they shouldn't they will be kicked out!

frost

If you want to cover all bases, you could do something like this:

function redirectToPage( $url ) {
  if ( !headers_sent() ) {  
      header("Location: {$url}");
      exit();
  } else {  
    // Can't send headers any more, so try using HTML & Javascript redirects instead
    ?>
    <HEAD>
    <META HTTP-EQUIV="Refresh" CONTENT="0; URL="<?=$url?>">
    <script language="JavaScript"><!--
      setTimeout('Redirect()',0);
      function Redirect()
      {
       location.href = '<?=$url?>';
      }
    --></script>
    </HEAD>
<?php
  exit();     
  }  
}

rogue-entity

Let me get this straight. You want to do user authentication. A user enters a username/password and if it is correct they get redirected to a new page with javascript, if not, an alert tells them the password is wrong and directs them back.

First, I would say, avoid javascript. As you said, some users turn it off, but also history.go(-1) does not work in anything other then Internet Explorer (and browsers based on it) which is just bad form really. (I could be wrong though, but Javascript tends to be platform specific in some areas).

Try this:

<?php
if ($secure_password==mysql_result($result,0,"password"))
{
     session_start(); // Needed by all protected pages
     $authorised = 1;
     session_register('authorised'); // Now as long as this == 1. It is assumed that the password was correct.
     // Send user to new page.
     header('Location: Http://yourdomain/yourprotectedpage.php');
}
else // Session is not created, so protected pages will not be accessable.
{
?>
HTML "Wrong Password" page code goes here
<?php
}

Now you just need to add a simple SESSION check to all pages protected, and they just need to check if the SESSION variable "authorised" is == 1.

<?php
     session_start();
     if (!authorised) {
          // User did not authenticate, send back to login page.
         header('Location: Http://yourdomain/login.htm');
     else{
     ?>
HTML FOR PAGE GOES HERE
<?php } ?>

This just a simple example.