Page 1 of 1

It says it not there.... 404 Error?!?! !@$#@%@$#

Posted: Mon Feb 10, 2003 5:45 pm
by Zoram
I have been working on my website and after updating the login i started to get some really maddening responses.

Now when i log in it logs in and sets the SESSION variables but when it gets to the header("Location: " . $HTTP_REFERER); it brings up a 404 page not found ... heres the code... it seems to bring up the error on a couple of pages...

Code: Select all

<?php session_start();

// ********************PAGE VARIABLES******************
	$waldo = "../";
// ****************************************************
if (isset($_POST&#1111;'user']) && isset($_POST&#1111;'pass']))&#123;
	
	// Get Login Information
	$user_name = addslashes($_POST&#1111;'user']);
	$password = addslashes($_POST&#1111;'pass']);
	
	// **** QUERY ****
	$query = "SELECT * FROM users WHERE user_username = '$user_name' AND user_pass = SHA1('$password')";
	$result = @mysql_query($query, $connection) or die ( header ("Location: " . $waldo . "Error.php" ) );
	$affected_rows = @mysql_num_rows($result);
	if (@mysql_num_rows($result) > 0) &#123;
		while ($row = @mysql_fetch_array($result)) &#123;
			$_SESSION&#1111;'VAL'] = $row&#1111;'user_uniId'];
			$cartId = $row&#1111;'user_cartId'];
			$_SESSION&#1111;'USER'] = $user_name;
			
			if (!isset($_SESSION&#1111;'CART'])) &#123;
				$_SESSION&#1111;'CART'] = $cartId;
			&#125; else &#123;
				// Change temp cart contents to new cart id.
				$query = "UPDATE cart SET cart_cartId = '$cartId' WHERE cart_cartId = '" . $_SESSION&#1111;'CART'] . "'";
				$result = @mysql_query($query, $connection) or die ( header ("Location: " . $waldo . "Error.php" ) );
				
				// Set new cart id
				$_SESSION&#1111;'CART'] = $cartId;
			&#125; // if preset cart
			$date = date("Y-m-d");
			
			$ipAdd = $_SERVER&#1111;'REMOTE_ADDR'];
			$browser = $_SERVER&#1111;'HTTP_USER_AGENT'];
			
			$query = "INSERT INTO log (log_id, log_user, log_ip, log_date, log_browser) VALUES (NULL, '$user_name', '$ipAdd', NULL, '$browser')";
			$result = @mysql_query($query, $connection) or die ( header ("Location: " . $waldo . "Error.php" ) );
			
			$query = "UPDATE users SET user_lastlog = '$date' WHERE user_username = '" . $_SESSION&#1111;'USER'] . "' AND user_uniId = '". $_SESSION&#1111;'VAL'] ."'";
			$result = @mysql_query($query, $connection) or die ( header ("Location: " . $waldo . "Error.php" ) );
			
			header("Location: " . $HTTP_REFERER);
			exit;
		&#125;
	&#125; else &#123;
		$loginPass = false;
	&#125;
&#125;
.... Any Suggestions?

Posted: Mon Feb 10, 2003 6:02 pm
by gyardleydn
$HTTP_REFERER
Weren't you the one who said they were conserned about stopping injection attacks. Did you decide to keep globals on?

I don't think ("Location: " . $waldo . "Error.php" ) will work when $waldo is "../" as you need to supply an abolute path.
See: header()

Posted: Mon Feb 10, 2003 6:05 pm
by Zoram
it's worked so far... and what globals? the session vars? i just save the username, cart and a validation number... is there something wrong with that?

Posted: Mon Feb 10, 2003 6:08 pm
by gyardleydn
Should $HTTP_REFERER be $_SERVER['HTTP_REFERER']?
Zoram wrote:it's worked so far... and what globals? the session vars? i just save the username, cart and a validation number... is there something wrong with that?

Posted: Mon Feb 10, 2003 6:13 pm
by Zoram
Actually, as i am testing it out more if i log in from different pages half of the time it works and the other half when i try to redirect it gives me the 404 error.

Posted: Tue Feb 11, 2003 2:33 am
by twigletmac
From the manual (http://www.php.net/manual/en/reserved.variables.php):
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
And as gyardleydn pointed out, if register_globals are off it should be $_SERVER['HTTP_REFERER'] instead of $HTTP_REFERER.

Mac

Posted: Tue Feb 11, 2003 6:54 pm
by Zoram
hmmm... i need to learn more about php.... i didn't even relize they were on.