0

visitors of form.php submit a form with a foo value that should be a or b.

form is processed on redirect.php, which should send them right away (PHP header refresh) to a destination according to their foo value, while displaying a "redirectig you, please wait" message.

I've had a visitor complaining that he was seeing the message but redirection never occured, so I've patched up the following javascript in order to handle such an event, giving the user an option to manually get to the destination, if he wasn't redirected for over 3 seconds.

Are there any vulnerabilities to the method that I'm planning to use? is it a good way to handle this? (also, do you see anything wrong in general with the whole code?)

I would rather use something server-side to display such a message (as I don't want a user who is not being delayed, to be able to view the source and see the destination, which is otherwise only sent in the header), but as far as I understand it is impossible. 

<?php
$url = "could-not-get-a-foo-parameter-at-all-error-monitoring-page.html"; 

if(isset($_POST['foo'])){

    switch ($_POST['foo']) {

    case "a":
        $url = "http://www.aaa.com/";
        break;

    case "b":
        $url = "http://www.bbb.com/";
        break;

    default:
        $url = "foo-parameter-exists-but-is-wrong-error-monitoring-page.html";
        break;
    }
}

header( "refresh:0;url=$url" );

?>  
<!doctype html>
<html>
<head>

<style>
.message {
   color:blue;
}
.red {
   color:red;
}
</style>
</head>
<body>
<div class="message">Redirecting, Please hold on...</div>
<div id="targetElement" class="red"></div>

<script id="blockOfStuff" language="text">
<a href="<?php echo $url ?>">Click here to be manually redirected</a>
</script>

<script>
var myVar=setTimeout(function(){myTimer()},3000);

function myTimer() {
var div = document.createElement('div');
div.setAttribute('class', 'someClass');
div.innerHTML = document.getElementById('blockOfStuff').innerHTML;
document.getElementById('targetElement').appendChild(div);
}
</script>
Braiam
  • 1
  • 11
  • 47
  • 78
rockyraw
  • 1,125
  • 2
  • 15
  • 36

2 Answers2

0

There shouldn't be any need for the Javascript in the first place. Instead of making a JS patch, you should try to find the problem with the PHP logic. Also, on this page, you shouldn't need any HTML / CSS either, the redirect should happen right away, before anything on the page loads. For PHP redirects like this, I usually use

header("Location: $url");

You should also check the scope of your variables. If theres more code going on that you didn't post, its possible that the $url variables have a scope which isn't accessible in the redirect.

Bradley4
  • 510
  • 1
  • 6
  • 13
  • 1. If I would have been aware to a probelm with the current PHP, I would have tried to change the code of course, so I'm not sure whay you mean by "you should try" to find a problem. 2. what makes you rule out with confidence I shouldn't use any HTML/CSS? a redirect can sometimes take several long seconds before the client sees new content from the redirected url. If the client would see just a blank screen as you suggest, during that time period, he could think there's something wrong and exit the website. I see this as a major concern so this is how I address it. – rockyraw Sep 24 '14 at 00:16
0

while displaying a "redirectig you, please wait" message.

Do they really need this? Header 'refresh' can be (for example) unsupported by the browser or other software. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html - not listed here + 'Refresh' HTTP header

Add meta tag (but, for example, http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/meta-refresh-causes-additional-http-requests.aspx) if you want to do so (javascript could be also disabled) or use a regular regirect, without html page:

header('Location: ' . $url);
exit;

ps: if you have working javascript then why do you ask user to click on the link if you can redirect him by yourself?

setTimeout(function(){myTimer()},3000);

can be replaced with

setTimeout(myTimer, 3000);
Community
  • 1
  • 1
Cheery
  • 16,063
  • 42
  • 57
  • 1. by "do they really need it" do you mean to ask why I'm not using a direct link instead of a redirect? I need to have this redirection for several "tactical" reasons, so a regular link is out of the question. 2. as long as the refresh I'm using is supported by the browsers who dominate over 99% of the market (isn't it?), It's enough for me. 3. people with disabled javascript are not a concern for me, as they won't be able to see the pages they are being redirected to anyway. 4. I am trying to redirect them myself with this PHP code, do you mean I should use a java redirect as a fallback? – rockyraw Sep 24 '14 at 00:10
  • "do you mean I should use a java redirect as a fallback" instead of creating the link to click you can just set location to a new url. – Cheery Sep 24 '14 at 00:12
  • If you mean a PHP location, as far as I can remember, it would be impossible to draw HTML/CSS during the redirect if using this method. see my considerations regarding this on my comment to Bradley4. – rockyraw Sep 24 '14 at 00:18
  • @rockyraw I meant setTimeout(function(){window.location.href=''}, 3000); – Cheery Sep 24 '14 at 00:19
  • I would have to think about that. the first thing that comes to mind is that with a manual link, the user feels he has some control over what's going on in case something is wrong. and maybe the PHP refresh is already at work but it takes some time, so the user himself can decide whether he wants to initiate that fallback link or not. or maybe two simultaneous refreshes can even cause some other type of problem? – rockyraw Sep 24 '14 at 00:25
  • @rockyraw But you are already trying to redirect user without js anyway )) – Cheery Sep 24 '14 at 00:26