How would I do this in PHP?

Aoife-FM104

Hi,

I hope someone can help me with this.

1. user goes to index.php and types "hello" into a search field.
2. search.php is called. normally some search results would be displayed, but because the user typed "hello" i want to redirect him to secret.php.

1 + 2 I have working fine. I am using a "if search word is hello, header redirect".

What I want is -

How do I stop the user from typing mydomain.com/secret.php to see the secret page? I want him to have to go to index.php and search for "hello". Because I am using a header redirect, I don't know how to pass the "he searched for hello" variable to secret.php.

Do you know what I mean???

Thanks!

[CrimsonGhost]

HTTP_REFERRER is your friend.
Early on in your secret.php do
<?
if($_SERVER != "search.php")
{
header("Location: yousuck.php");
exit;
}


?>

You might want to check the spelling of HTTP_REFERRER, there is something funny about how it is spelled.

I think that should work.

Caveat: HTTP_REFERRER is fakable. But that is probably more work than more are going to be bothered with.

philologos

yep I know what you mean..

$_SERVER;
shows the last page the user came from

you could do this
<?php
$lastpage = $_SERVER;
$url = "http://blalalalalala.com/secret.php";
if ($lastpage =$url) {
redirect here
}
else {
no redirect here
}

hope that helps

Edit: damn someone got it before me hah

Aoife-FM104

Hi,

Thanks for your replies!

Would this mean if the user went to www.mydomain.com/search.php and then typed www.mydomain.com/secret.php he could skip having to search for "hello" ?

Is there a way to pass "secret" information in the headers???

stevenmu

You could do your redirect using something like

www.mydomain.com/secret.php?secretmessage=usertypedinhello

altough this will show in the url box in the users browser so they will then be able to duplicate that themselves and skip search.php. A better option may be to use session variables. I don't know any PHP but in psuedo...
in your search.php

if Search_term = "hello"
   set sessionvariable_let_user_in = true
   redirect to secret.php
else
   do normal search

in your secret.php

if sessionvariable_let_user_in = true
   set sessionvariable_let_user_in = false
   (so they only get back in through search.php)
else
   redirect to search.php

viccirc

Hi,

If its of any use to you now :

index.php file :

<?php
	$token = md5(uniqid(rand()));
	$_SESSION['token'] = $token;
	$_SESSION['logged'] = "";
?>
            <form name="form" method="post" action="search.php">
            <input type="hidden" name="token" value="<?php echo $token; ?>" ><br>
			<input type="text" name="search_term" value="">
			<input type="submit" name="submit" value="SUBMIT" class="ac">
             </form>

search.php file

<?php
if (($_SERVER['HTTP_REFERER'] == "http://".$_SERVER['HTTP_HOST']."/index.php") && (isset($_SESSION['token']) && ($_POST['token'] == $_SESSION['token'])) && ($_POST['search_term'] == "hello")) {
	// Looks Okay
	session_start();
	$_SESSION['logged'] = "true";
	header ( 'Location: secret.php');
}
else {
 	//Display normal search results
}
?>

secret.php file :

<?php
session_start();
if (($_SERVER['HTTP_REFERER'] != "http://".$_SERVER['HTTP_HOST']."/index.php") || ($_SESSION['logged'] != "true")) {
	// Send them back to the first page
	header ( 'Location: index.php');
}
	// Hidden Page
?>

Strangely, the referer is index.php in the file secret.php

Not all user agents will set the referer either so you could take those out if you wish...

louie

That's easy.
You have the search form you submit to search.php

on the search.php you look to see what the query was
[PHP]
$search_q = trim(@$_POST);
if (($search_q == "") || ($search_q == NULL)){
//we dont' have a search so go back to home page
header("Location: index.php");
exit();
}elseif (strtolower($search_q == 'hello')){
header("Location: secret_page.php");
exit();
//you can pass a string here as well if you want
//header("Location: secret_page.php?ok=yes");
}
[/PHP]

on the secret page use this:
[PHP]
$refferer = @$_SERVER;
if(!strstr($refferer, 'search.php'){
//we look for search.php just in case the domain doesn't have the www.
header("Location: index.php");
exit();
}
[/PHP]

rsynnott

None of this is in any way secure, you realise?

louie

rsynnott wrote:

None of this is in any way secure, you realise?

Don't you think we are only giving one of many solution to his problem?

Why don't you write a proper one, instead criticising.

Webmonkey

What if you put secret.php in a none public part of the site and do a php include then to that directory to load the page in. Just an idea but a secure one*

*i think

The Corinthian

louie wrote:

Why don't you write a proper one, instead criticising.

Because it’s not actually his or anyone else’s job here to actually do other people’s (home)work, only to make suggestions that will help them not only get the work done but actually understand what is being done.

TBH, using the referrer is a bad idea for a few reasons. Firstly, it doesn’t actually secure anything. Even if no one bothers to fake it (which is very easy to do) the most it does is stop people from going to secret.php from the search page. Additionally, if the referrer is all you’re using for user validation then you’ll get to secret.php, but essentially not be able to do anything else without returning to the search page first.

What’s particularly insecure is the ‘password’ - it’s so wrong I’m not even going to explain that further. And stevenmu, you should be ashamed of suggesting passing validation as a GET param.

Here's a tutorial on user login’s in PHP. It includes database code that could be edited out if she chooses to hardcode her password. However, I would recommend the use of a separate log in form - and not limit it to a password alone, but also include username validation.

Anyhow, HTH.

louie

if it's about security, a login page will be best option, with username and password stored in the database (encrypted ofcourse).
What I think he's trying to do is let certain people accessing that page using a particular keyword in the search field, so the page is not that realy important, he just doesn't want ordinary Joe viewing it.

The Corinthian

louie wrote:

What I think he's trying to do is let certain people accessing that page using a particular keyword in the search field, so the page is not that realy important, he just doesn't want ordinary Joe viewing it.

Maybe she is, but I've seen people try to write login scripts around existing search forms before.

louie

That will be a bad ideea alright.