detecting direct access to .php file
Moderator: General Moderators
detecting direct access to .php file
basically, in an online shopping environment the users path through the shopping process is shop->basket->checkout
i would like to somehow redirect someone who goes directly to checkout.php back to shop.php but how could you acheive this in php?
thanks
i would like to somehow redirect someone who goes directly to checkout.php back to shop.php but how could you acheive this in php?
thanks
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Code: Select all
header("Location: http://whatever.com/blah.php");The ensure that they've come from shop.php, use $_SERVER['HTTP_REFERER']
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Seriously? Well in that case, you could use a simple post or get (or session since your likely already using them) variable that you send to checkout.php from send.php, and if it hasn't been sent, then you redirectalthough after a bit of research it seems that not all user agents will set this so it could prove a bit unreliable
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Anything from $_POST, $_GET, $_COOKIE and $_SERVER can be spoofed. OK not all of $_SERVER but its difficult to know what can and what can't so its best to treat it all as tainted.
This is a good idea because this data comes from the server. Another alternative could be to use a session.another way is the make sure your shopping cart has items in it, if not redirect to shop.php
A session would definately be the best bet. A $_GET variable would not as it can be reused if it's just a basic &my_param=1.
Anything else seems very bad and unsecure. Not to say session is the best of the west, but as for what we are given and a lot less headache of coding it on our own, session is the top dog.
Also an added benefit would be to check the REFERER to make sure that the request coming coming in from is, in fact, the domain where your shopping cart lives.
Last but not least, you could of course track the user in a database
Of course, this is NOT recommened, but you could keep a relational map of a key representing the page the user is accessing. If it equals x where x = checkout.php but x-1 != whatever.php, redirect them.
Other than that, I dunno. Browser cookies have been effective up until people got smart enough to either block them or spoof them. So, it's up to you really..
Anything else seems very bad and unsecure. Not to say session is the best of the west, but as for what we are given and a lot less headache of coding it on our own, session is the top dog.
Also an added benefit would be to check the REFERER to make sure that the request coming coming in from is, in fact, the domain where your shopping cart lives.
Last but not least, you could of course track the user in a database
Other than that, I dunno. Browser cookies have been effective up until people got smart enough to either block them or spoof them. So, it's up to you really..
initially i was using sessions to determine where in the shopping chain the user was. however as this is a small online shop, and was designed with simplicity in mind (no user accounts, temporary orders which are stored upto 24hrs and are only put into the database following successful payment) i was considering squishing the entire checkout process into one file (enter details, confirm details, payment, order confirmation) but the script called after payment destroys the session, and invariably lead to difficulties in displaying the order confirmation without creating a new session (which i didnt want, this is upto the shop itself) so i was trying to devise a way in which to track where the user from coming from to ensure that any direct access to the checkout without going through the shop would punt them back to the shop! i think you have to look at it what you actually require to assess whether possible flaws (like HTTP_REFERER not being set by some user agents) are acceptable or not. for the immediate future i dont think the shop will service a level of traffic that will warrant the extra effort in deploying that extra security.
I totally agree with "sh33p1985". I also got this problem where you need to monitor which session file to unregsiter and is giving me headache. I like to use http_referer. But this got one problem where if your previous page is using
header ("location: example.php");
to direct to next page, then the http_referer will not work. This is beause header("location") is a 302 redirect.
I am still look into how to make http_referer universal...
header ("location: example.php");
to direct to next page, then the http_referer will not work. This is beause header("location") is a 302 redirect.
I am still look into how to make http_referer universal...