Need an extra set of eyes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Need an extra set of eyes

Post by alex.barylski »

I usually wouldn't bother with something so trivial, but because it's kind of the first and best firewall against attacks/hacks I figured I'd ask the community, incase i missed something.

Code: Select all

$path = dirname($_SERVER['PHP_SELF']); // Drop currently requested file name with any $_GET parameters
$redirect_url = str_replace('//', '/', $_SERVER['HTTP_HOST'].'/'.$path.'/login.php');
header("location: http://$redirect_url");
exit;
basically I check if user ID is zero (not authenticated) and redirect to a login script...

Safe?

This is called inside an index.php which is in the same directory as login.php, so my next question (equally important)

Does the above make sure, that regardless where in a directory structure, the login.php is actually invoked?

What I mean is, assume I had it installed like:

Code: Select all

www.domain.com/test/apps/index.php
Would it redirect to:

Code: Select all

www.domain.com/test/apps/login.php
Or would it redirect to another sub-directory and thus result in 404 because login.php wasn't in that directory?

Thanks for any input :)
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

are you using a front controller? is this it?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Lets say emulating a front controller...

It's not Zend...and according to some it might be more analogous to a page controller...

Right now, it's simply a single switch inside a index.php

The reason I have the $file is because I may modularize the application into PHP scripts or may formalize the monolithic switch into a single front controller (in which case the above code isn't nessecary - if implemented as a proper front controller).

For the tim being though, it is what it is :P

Ignore those specifics though, please...

I just care to know if there are any exploits, etc which could be captialized on? See anything you'd change (considering the context)?

Cheers :)
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Other than perhaps using $_SERVER['SCRIPT_FILENAME'] (or __FILE__) instead of php_self I can't see anything glaringly obvious.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

parse_url() may be of interest.
Post Reply