redirection with $_GET vars

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

redirection with $_GET vars

Post by Bill H »

I have the following (but with more cases and with actual client names):

Code: Select all

if (isset($_POST['Company']))       // user has input a "password" for evaluation
{
     $Go = "User=" . $_POST['User'] . "&Pass=" . $_POST['Pass'];
 
     if (!strcasecmp($_POST['Company'], "client1"))
          $Go = "Location:clients/client1/index.php?" . $Go;
     else if (!strcasecmp($_POST['Company'], "client2"))
          $Go = "Location:clients/client2/index.php?" . $Go;
     else $Go = "Location:cportal.php";         // return to home page
 
     header($Go);
     exit;
}
It works perfectly. The index.php at the destination evaluates the $_GET['User'] and $_GET['Pass'] against a database and logs the user into the system. If either is not found it redirects back to cportal.php, and all of this happens fast enough that the url with the username and password is never seen. Not that it would hurt if it were, since the user entered it.

The problem is that at one point it triggered the following server error:

Code: Select all

/clients/client1/index.php?User=rancho%20san%20diego&Pass=100% HTTP/1.1
Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: not enough characters [severity "EMERGENCY"]
 
The user's password may well have been "100%"
Anyway, the error caused the firewall to block the ip address range of 255 numbers which caused many headaches.

Clearly I need to do something with the user's input to prevent this sort of issue, but I'm a bit stumped.
I tried urlencode($Go); but when I do that the destination log in fails.
Same with htmlenteties(urlencode($Go));

So a two-part question. Why does the urlencode (with username and password which are pure alpha with no spaces) fail?
And what do I need to do to assure non-problematic url for redirection?
Phoenixheart
Forum Contributor
Posts: 123
Joined: Tue Nov 16, 2004 7:46 am
Contact:

Re: redirection with $_GET vars

Post by Phoenixheart »

Just curious... Why do you pass username and password via GET method? It's terribly insecure.
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Re: redirection with $_GET vars

Post by Bill H »

If you can suggest another way to pass them I'm open to doing so.

We have eight clients (and increasing), each of which has a process in a subdirectory with their own database of (among other things of course) usernames and passwords. As long as no competitors were involved the log in was a two step process: log in with company id, which takes you to the proper subdirectory, and then log in with username and password, which uses the database for comparison and logs you into the process as the specific user.

Now that competitors are involved that process makes it too easy to "browse" by logging company id's expermintally to see what other companies are using our process. By combining in the logins, the company id alone is not enough to get you in.

One thought was to make each company id gibberish, but that was deemed to be unfeasible from a marketing standpoint.

I thought about making the username and password comparison at this point rather than passing the input data, but the login process is quite complex and differs substantially between clients, so it just isn't really feasible.
Post Reply