detecting direct access to .php file

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sh33p1985
Forum Commoner
Posts: 78
Joined: Thu Mar 11, 2004 9:22 am

detecting direct access to .php file

Post by sh33p1985 »

basically, in an online shopping environment the users path through the shopping process is shop->basket->checkout

i would like to somehow redirect someone who goes directly to checkout.php back to shop.php but how could you acheive this in php?

thanks
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Code: Select all

header("Location: http://whatever.com/blah.php");
This must be called before anything is printed to the document. Preferably, at the very start.

The ensure that they've come from shop.php, use $_SERVER['HTTP_REFERER']
sh33p1985
Forum Commoner
Posts: 78
Joined: Thu Mar 11, 2004 9:22 am

Post by sh33p1985 »

the $_SERVER['HTTP_REFERER'] global was what i was after, although after a bit of research it seems that not all user agents will set this so it could prove a bit unreliable. if the its only option that is available for what i want to achieve tho i guess it will have to do.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

although after a bit of research it seems that not all user agents will set this so it could prove a bit unreliable
Seriously? Well in that case, you could use a simple post or get (or session since your likely already using them) variable that you send to checkout.php from send.php, and if it hasn't been sent, then you redirect
User avatar
louie35
Forum Contributor
Posts: 144
Joined: Fri Jan 26, 2007 8:40 am
Location: Dublin
Contact:

Post by louie35 »

another way is the make sure your shopping cart has items in it, if not redirect to shop.php
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

louie35 wrote:another way is the make sure your shopping cart has items in it, if not redirect to shop.php
Very efficient. Listen to Louie :-p
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Anything from $_POST, $_GET, $_COOKIE and $_SERVER can be spoofed. OK not all of $_SERVER but its difficult to know what can and what can't so its best to treat it all as tainted.
another way is the make sure your shopping cart has items in it, if not redirect to shop.php
This is a good idea because this data comes from the server. Another alternative could be to use a session.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

A session would definately be the best bet. A $_GET variable would not as it can be reused if it's just a basic &my_param=1.

Anything else seems very bad and unsecure. Not to say session is the best of the west, but as for what we are given and a lot less headache of coding it on our own, session is the top dog.

Also an added benefit would be to check the REFERER to make sure that the request coming coming in from is, in fact, the domain where your shopping cart lives.


Last but not least, you could of course track the user in a database ;) Of course, this is NOT recommened, but you could keep a relational map of a key representing the page the user is accessing. If it equals x where x = checkout.php but x-1 != whatever.php, redirect them.

Other than that, I dunno. Browser cookies have been effective up until people got smart enough to either block them or spoof them. So, it's up to you really..
sh33p1985
Forum Commoner
Posts: 78
Joined: Thu Mar 11, 2004 9:22 am

Post by sh33p1985 »

initially i was using sessions to determine where in the shopping chain the user was. however as this is a small online shop, and was designed with simplicity in mind (no user accounts, temporary orders which are stored upto 24hrs and are only put into the database following successful payment) i was considering squishing the entire checkout process into one file (enter details, confirm details, payment, order confirmation) but the script called after payment destroys the session, and invariably lead to difficulties in displaying the order confirmation without creating a new session (which i didnt want, this is upto the shop itself) so i was trying to devise a way in which to track where the user from coming from to ensure that any direct access to the checkout without going through the shop would punt them back to the shop! i think you have to look at it what you actually require to assess whether possible flaws (like HTTP_REFERER not being set by some user agents) are acceptable or not. for the immediate future i dont think the shop will service a level of traffic that will warrant the extra effort in deploying that extra security.
bryansu
Forum Newbie
Posts: 9
Joined: Mon May 08, 2006 2:53 am

Post by bryansu »

I totally agree with "sh33p1985". I also got this problem where you need to monitor which session file to unregsiter and is giving me headache. I like to use http_referer. But this got one problem where if your previous page is using

header ("location: example.php");

to direct to next page, then the http_referer will not work. This is beause header("location") is a 302 redirect.

I am still look into how to make http_referer universal...
Post Reply