Re: [PHP] reloading a page..
On March 23, 1998 08:53 pm, Beauford.2002 wrote: > It's definitely going through the if statement as it does "reload" > the page - print($_SERVER['HTTP_REFERER']); shows > http://www.myserver.com/oldpage.html - which is correct. > print("{$userlevel} and {$neededlevel}"); also shows the correct > info. $no_permission does have a string, but even if I hard code > the message it still doesn't work. > > Note thoughif I take out include ($_SERVER['HTTP_REFERER']); > from the if statement and put in print($_SERVER['HTTP_REFERER']); > and print $message - they both display. > > So I am at a loss OH I think I've got it. the problem is that you're including the page before you set the message. So of course in the include the $message will still be an empty string and therefor not display it. so rearange the two lines like this: $message = $no_permission; include ($_SERVER['HTTP_REFERER']); and it should work. HTH, Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reloading a page..
It's definitely going through the if statement as it does "reload" the page - print($_SERVER['HTTP_REFERER']); shows http://www.myserver.com/oldpage.html - which is correct. print("{$userlevel} and {$neededlevel}"); also shows the correct info. $no_permission does have a string, but even if I hard code the message it still doesn't work. Note thoughif I take out include ($_SERVER['HTTP_REFERER']); from the if statement and put in print($_SERVER['HTTP_REFERER']); and print $message - they both display. So I am at a loss > No you shouldn't rely on it to do anything important but in your case > its just where the user will be redirected to. Even if someone fakes > the referrer to point to the restricted page it will just go into an > infinite loop. > > > if($userlevel != $neededlevel) { > > include ($_SERVER['HTTP_REFERER']); > > $message = $no_permission; > > $exit; > > } > > > > ...on referring page > > > > > > Code seems fine. You probably are never entering into that if > statement or the referrer is outputting something unexpected. > Use some print statements to debug this.. > > print("{$userlevel} and {$neededlevel}"); > print($_SERVER['HTTP_REFERER']); > > Of course make sure $no_permission actually contains a string... > > Leo > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reloading a page..
On March 23, 2003 02:34 pm, Beauford.2002 wrote: > The link in question is there by design and should be there, but > below is what I am talking about. > > > Even better, if a user cannot be validated then you can redirect > > them back > > to where they > > > came from (referrer). That would effectively achive your goal by > > refreshing the original page no matter where they;re coming from. > > This is what I have, but no matter what I do I can not get a > message to appear on the referring page saying you have no access > to the other page, and I have also read that 'HTTP_REFERER' is not > very reliable No you shouldn't rely on it to do anything important but in your case its just where the user will be redirected to. Even if someone fakes the referrer to point to the restricted page it will just go into an infinite loop. > if($userlevel != $neededlevel) { > include ($_SERVER['HTTP_REFERER']); > $message = $no_permission; > $exit; > } > > ...on referring page > > Code seems fine. You probably are never entering into that if statement or the referrer is outputting something unexpected. Use some print statements to debug this.. print("{$userlevel} and {$neededlevel}"); print($_SERVER['HTTP_REFERER']); Of course make sure $no_permission actually contains a string... Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reloading a page..
The link in question is there by design and should be there, but below is what I am talking about. > Even better, if a user cannot be validated then you can redirect them back to where they > came from (referrer). That would effectively achive your goal by > refreshing the original page no matter where they;re coming from. This is what I have, but no matter what I do I can not get a message to appear on the referring page saying you have no access to the other page, and I have also read that 'HTTP_REFERER' is not very reliable if($userlevel != $neededlevel) { include ($_SERVER['HTTP_REFERER']); $message = $no_permission; $exit; } ...on referring page - Original Message - From: "Leo Spalteholz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, March 23, 2003 2:06 PM Subject: Re: [PHP] reloading a page.. > On March 23, 2003 10:22 am, Beauford.2002 wrote: > > One other problem is that I need to know the page the came from in > > order to reload it. i.e. if they try to access a restricted page > > from six.html I want to reload six.html - if they try from > > eight.html then eight.html needs to be reloaded. > > Firstly, as David mentioned, if the user is not allowed to access the > page then the link shouldn't be there in the first place. If there > is no link then there is no need to refresh the page or generate an > error or anything. If you really want to you can have the link but > instead of an href to the page you would replace it with a Javascript > alert saying "access denied". > But thats beside the point because if they enter the restricted page > into the address bar directly it also has to deny them access. You > should write a script that checks the users credentials and then > include it at the top of EVERY page. If the user can no be validated > then an access denied message is displayed. Even better, if a user > cannot be validated then you can redirect them back to where they > came from (referrer). That would effectively achive your goal by > refreshing the original page no matter where they;re coming from. > > Leo > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reloading a page..
On March 23, 2003 10:22 am, Beauford.2002 wrote: > One other problem is that I need to know the page the came from in > order to reload it. i.e. if they try to access a restricted page > from six.html I want to reload six.html - if they try from > eight.html then eight.html needs to be reloaded. Firstly, as David mentioned, if the user is not allowed to access the page then the link shouldn't be there in the first place. If there is no link then there is no need to refresh the page or generate an error or anything. If you really want to you can have the link but instead of an href to the page you would replace it with a Javascript alert saying "access denied". But thats beside the point because if they enter the restricted page into the address bar directly it also has to deny them access. You should write a script that checks the users credentials and then include it at the top of EVERY page. If the user can no be validated then an access denied message is displayed. Even better, if a user cannot be validated then you can redirect them back to where they came from (referrer). That would effectively achive your goal by refreshing the original page no matter where they;re coming from. Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reloading a page..
One other problem is that I need to know the page the came from in order to reload it. i.e. if they try to access a restricted page from six.html I want to reload six.html - if they try from eight.html then eight.html needs to be reloaded. - Original Message - From: "David Otton" <[EMAIL PROTECTED]> To: "Beauford.2002" <[EMAIL PROTECTED]> Cc: "PHP General" <[EMAIL PROTECTED]> Sent: Sunday, March 23, 2003 12:37 PM Subject: Re: [PHP] reloading a page.. > On Sun, 23 Mar 2003 12:15:25 -0500, you wrote: > > >Not sure why things like this are so difficult. I have an authentication > >script which allows users access to certain pages based on their user level. > >If they click on a link to go to a page their not allowed to, I want to be > > First, why are the pages they can't access displayed as active links? > > >able to just reload the page their on and display a message saying they are > >not authorized to view that page - do you think I can get the page to > > You don't need to reload the page. At the top of each page, put your > check routine. > > if (access_granted == FALSE) { > show_access_denied_message; > exit; > } > > show_regular_page; > > >reload.I've tried the header thing (but can't because headers are > >already sent), > > Either rewrite your page so the security check comes before any output > is sent, or use the output buffering functions (ob_start(), etc) > > >I've tried playing around with $PHP_SELF with no luck, I've > > That's passed to the script from its environment... changing it will > have no effect on the script's environment. > > >looked for javascripts with no luck. Anyone have any ideas? > > You can't rely on Javascript for security. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reloading a page..
On Sun, 23 Mar 2003 12:15:25 -0500, you wrote: >Not sure why things like this are so difficult. I have an authentication >script which allows users access to certain pages based on their user level. >If they click on a link to go to a page their not allowed to, I want to be First, why are the pages they can't access displayed as active links? >able to just reload the page their on and display a message saying they are >not authorized to view that page - do you think I can get the page to You don't need to reload the page. At the top of each page, put your check routine. if (access_granted == FALSE) { show_access_denied_message; exit; } show_regular_page; >reload.I've tried the header thing (but can't because headers are >already sent), Either rewrite your page so the security check comes before any output is sent, or use the output buffering functions (ob_start(), etc) >I've tried playing around with $PHP_SELF with no luck, I've That's passed to the script from its environment... changing it will have no effect on the script's environment. >looked for javascripts with no luck. Anyone have any ideas? You can't rely on Javascript for security. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] reloading a page..
Not sure why things like this are so difficult. I have an authentication script which allows users access to certain pages based on their user level. If they click on a link to go to a page their not allowed to, I want to be able to just reload the page their on and display a message saying they are not authorized to view that page - do you think I can get the page to reload.I've tried the header thing (but can't because headers are already sent), I've tried playing around with $PHP_SELF with no luck, I've looked for javascripts with no luck. Anyone have any ideas? TIA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php