Code: Select all
if (isset($_POST['Company'])) // user has input a "password" for evaluation
{
$Go = "User=" . $_POST['User'] . "&Pass=" . $_POST['Pass'];
if (!strcasecmp($_POST['Company'], "client1"))
$Go = "Location:clients/client1/index.php?" . $Go;
else if (!strcasecmp($_POST['Company'], "client2"))
$Go = "Location:clients/client2/index.php?" . $Go;
else $Go = "Location:cportal.php"; // return to home page
header($Go);
exit;
}The problem is that at one point it triggered the following server error:
Code: Select all
/clients/client1/index.php?User=rancho%20san%20diego&Pass=100% HTTP/1.1
Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: not enough characters [severity "EMERGENCY"]
Anyway, the error caused the firewall to block the ip address range of 255 numbers which caused many headaches.
Clearly I need to do something with the user's input to prevent this sort of issue, but I'm a bit stumped.
I tried urlencode($Go); but when I do that the destination log in fails.
Same with htmlenteties(urlencode($Go));
So a two-part question. Why does the urlencode (with username and password which are pure alpha with no spaces) fail?
And what do I need to do to assure non-problematic url for redirection?