redirection with $_GET vars
Posted: Thu Apr 10, 2008 11:25 pm
I have the following (but with more cases and with actual client names):
It works perfectly. The index.php at the destination evaluates the $_GET['User'] and $_GET['Pass'] against a database and logs the user into the system. If either is not found it redirects back to cportal.php, and all of this happens fast enough that the url with the username and password is never seen. Not that it would hurt if it were, since the user entered it.
The problem is that at one point it triggered the following server error:
The user's password may well have been "100%"
Anyway, the error caused the firewall to block the ip address range of 255 numbers which caused many headaches.
Clearly I need to do something with the user's input to prevent this sort of issue, but I'm a bit stumped.
I tried urlencode($Go); but when I do that the destination log in fails.
Same with htmlenteties(urlencode($Go));
So a two-part question. Why does the urlencode (with username and password which are pure alpha with no spaces) fail?
And what do I need to do to assure non-problematic url for redirection?
Code: Select all
if (isset($_POST['Company'])) // user has input a "password" for evaluation
{
$Go = "User=" . $_POST['User'] . "&Pass=" . $_POST['Pass'];
if (!strcasecmp($_POST['Company'], "client1"))
$Go = "Location:clients/client1/index.php?" . $Go;
else if (!strcasecmp($_POST['Company'], "client2"))
$Go = "Location:clients/client2/index.php?" . $Go;
else $Go = "Location:cportal.php"; // return to home page
header($Go);
exit;
}The problem is that at one point it triggered the following server error:
Code: Select all
/clients/client1/index.php?User=rancho%20san%20diego&Pass=100% HTTP/1.1
Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: not enough characters [severity "EMERGENCY"]
Anyway, the error caused the firewall to block the ip address range of 255 numbers which caused many headaches.
Clearly I need to do something with the user's input to prevent this sort of issue, but I'm a bit stumped.
I tried urlencode($Go); but when I do that the destination log in fails.
Same with htmlenteties(urlencode($Go));
So a two-part question. Why does the urlencode (with username and password which are pure alpha with no spaces) fail?
And what do I need to do to assure non-problematic url for redirection?