Page 1 of 1

detecting direct access to .php file

Posted: Sun Jan 28, 2007 2:06 pm
by sh33p1985
basically, in an online shopping environment the users path through the shopping process is shop->basket->checkout

i would like to somehow redirect someone who goes directly to checkout.php back to shop.php but how could you acheive this in php?

thanks

Posted: Sun Jan 28, 2007 2:29 pm
by superdezign

Code: Select all

header("Location: http://whatever.com/blah.php");
This must be called before anything is printed to the document. Preferably, at the very start.

The ensure that they've come from shop.php, use $_SERVER['HTTP_REFERER']

Posted: Sun Jan 28, 2007 4:10 pm
by sh33p1985
the $_SERVER['HTTP_REFERER'] global was what i was after, although after a bit of research it seems that not all user agents will set this so it could prove a bit unreliable. if the its only option that is available for what i want to achieve tho i guess it will have to do.

Posted: Sun Jan 28, 2007 4:36 pm
by superdezign
although after a bit of research it seems that not all user agents will set this so it could prove a bit unreliable
Seriously? Well in that case, you could use a simple post or get (or session since your likely already using them) variable that you send to checkout.php from send.php, and if it hasn't been sent, then you redirect

Posted: Sun Jan 28, 2007 5:33 pm
by louie35
another way is the make sure your shopping cart has items in it, if not redirect to shop.php

Posted: Sun Jan 28, 2007 5:41 pm
by superdezign
louie35 wrote:another way is the make sure your shopping cart has items in it, if not redirect to shop.php
Very efficient. Listen to Louie :-p

Posted: Sun Jan 28, 2007 8:27 pm
by Ollie Saunders
Anything from $_POST, $_GET, $_COOKIE and $_SERVER can be spoofed. OK not all of $_SERVER but its difficult to know what can and what can't so its best to treat it all as tainted.
another way is the make sure your shopping cart has items in it, if not redirect to shop.php
This is a good idea because this data comes from the server. Another alternative could be to use a session.

Posted: Sun Jan 28, 2007 8:59 pm
by infolock
A session would definately be the best bet. A $_GET variable would not as it can be reused if it's just a basic &my_param=1.

Anything else seems very bad and unsecure. Not to say session is the best of the west, but as for what we are given and a lot less headache of coding it on our own, session is the top dog.

Also an added benefit would be to check the REFERER to make sure that the request coming coming in from is, in fact, the domain where your shopping cart lives.


Last but not least, you could of course track the user in a database ;) Of course, this is NOT recommened, but you could keep a relational map of a key representing the page the user is accessing. If it equals x where x = checkout.php but x-1 != whatever.php, redirect them.

Other than that, I dunno. Browser cookies have been effective up until people got smart enough to either block them or spoof them. So, it's up to you really..

Posted: Mon Jan 29, 2007 10:06 am
by sh33p1985
initially i was using sessions to determine where in the shopping chain the user was. however as this is a small online shop, and was designed with simplicity in mind (no user accounts, temporary orders which are stored upto 24hrs and are only put into the database following successful payment) i was considering squishing the entire checkout process into one file (enter details, confirm details, payment, order confirmation) but the script called after payment destroys the session, and invariably lead to difficulties in displaying the order confirmation without creating a new session (which i didnt want, this is upto the shop itself) so i was trying to devise a way in which to track where the user from coming from to ensure that any direct access to the checkout without going through the shop would punt them back to the shop! i think you have to look at it what you actually require to assess whether possible flaws (like HTTP_REFERER not being set by some user agents) are acceptable or not. for the immediate future i dont think the shop will service a level of traffic that will warrant the extra effort in deploying that extra security.

Posted: Sun Jul 15, 2007 11:59 am
by bryansu
I totally agree with "sh33p1985". I also got this problem where you need to monitor which session file to unregsiter and is giving me headache. I like to use http_referer. But this got one problem where if your previous page is using

header ("location: example.php");

to direct to next page, then the http_referer will not work. This is beause header("location") is a 302 redirect.

I am still look into how to make http_referer universal...