Page 1 of 1

header question

Posted: Wed Aug 17, 2005 4:18 pm
by nincha
when php uses the header function to redirect a user, is it possible for the user to know the php page that holds the header function? For instance Page A does some mysql stuff then sends the user to another page using the header function, is it possible for the user to know the php file that does the mysql stuff?

Posted: Wed Aug 17, 2005 4:35 pm
by Roja
Yes.

If they watch the http requests, for example with a browser that lets them (Firefox has one, and there are proxies that do as well), then they can see each http request, including the initial page, and the redirect to the second page.

Whether that is "hidden enough", is an entirely different question. Honestly, if you aren't watching for it, a header redirect on any broadband is pretty hard to detect. Dialup, possibly..

Posted: Wed Aug 17, 2005 4:35 pm
by nielsene
yes. If the page takes a while to process they'll see the original URL in the location bar, if they hit stop, similarly.

If they input "bad" data that causes an error that gets displayed (error_reporting on, on a production server...) then the redirect will fail, etc. Also if they view source on the form, they'll see where you are submitting to

(wow not fast enough :)

Posted: Wed Aug 17, 2005 5:51 pm
by timvw
As mentionned already, use something like HTTP Liveheaders and you'll see them ;)

(An exercise: Place your network card in promiscious mode, run tcpdump (or libpcap + windump) and filter all traffic to the host you are monitoring on... Or filter on port 21/25/110/80 and grep for things like USER and PASS)

Posted: Wed Aug 17, 2005 6:01 pm
by nincha
well is there a tip/trick to have the same redirect function but hide the http request?

Posted: Wed Aug 17, 2005 6:06 pm
by feyd
it wouldn't be a redirect anymore...

why not call this script (rebuilt as a function or library of functions/classes whatever) from the location it's redirecting to (assuming it's not off-site) ?