header() not working in php when the url contains parameters?

Question

So I'm using $_GET to capture the URL to use it later but when I use $_GET it wont redirect!

So here's my sample code: URL : http://localhost/project/active.php/?s=ieugfshd&h=qwuyrbcq&i=1

php code:

<?php
include 'init.php';
$s = trim($_GET['s']);
$h = trim($_GET['h']);
$i = trim($_GET['i']);
$q = key_check($s,$h,$i);
if($q == 1)
{
header("location:password_active.php");
exit;
}
if($q == 0)
{
header("location:login_failed.php");
exit;
}
?>

EDIT:
key_check( ) function

function key_check($k1,$k2,$id)
{
$query = mysql_query("select key1 from users where user_id = '$id'");
$key1 =mysql_result($query,0);
$query = mysql_query("select key2 from users where user_id = '$id'");
$key2 =mysql_result($query,0);
$y=strcmp($k1,$key1);
$z=strcmp($k2,$key2);
if($y || $z == 0)
{
return 1;
}
else
{
return 0;
}
}

Now when I try this, I got "1" but I'm getting

This web page has a redirect loop

But my password_active.php doesn't have any redirects. It's just an html page.

i think the problem is $q is neither having 1 nor 0 can you print $q value and check actually what is comming? — Alive to die - Anant, May 13 '15 at 21:28
he included a file, maybe it's a function defined in that file? — Alive to die - Anant, May 13 '15 at 21:36
@anantkumarsingh: of course it may be defined in that file, the problem here is that the author can't expect us to guess the behavour of his/her functions. — Benoit Esnard, May 13 '15 at 21:45
@anantkumarsingh Yeah, I can print and it's showing the correct value according the logic but i can't understand why header( ) is not working! — SkrewEverything, May 13 '15 at 21:46
@AbraCadaver key_check( ) is just a function which checks with database. — SkrewEverything, May 13 '15 at 21:47
@harish can you post the source code of that function ? We need to check the return value. — Benoit Esnard, May 13 '15 at 21:48
Soo, sad nobody mentioned that `mysql_*` functions are deprecated. — VeeeneX, May 13 '15 at 22:13
@harish You are risking [mysql injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — VeeeneX, May 13 '15 at 22:16

Benoit Esnard · Accepted Answer · 2015-12-29T01:50:24.257

The URL you're using to access to your script is:

http://localhost/project/active.php/?s=ieugfshd&h=qwuyrbcq&i=1

This loads active.php, which does its role and then tries to send the following header :

header("location:password_active.php");

The browser recieves this header, and tries to resolve that relative URL by adding password_active.php after the last slash before the query string (that ?s=xxx string).

So your browser loads:

http://localhost/project/active.php/password_active.php?s=ieugfshd&h=qwuyrbcq&i=1

This loads active.php again, which does its role again and then send again the same header, and that loads this page:

http://localhost/project/active.php/password_active.php?s=ieugfshd&h=qwuyrbcq&i=1

Again. And again. And again. After several tries, your browser understands that something is going wrong and stops.

You should use an absolute URL in your HTTP header:

header("Location: /project/password_active.php");

Also, please note how HTTP headers should be written, according to the standard.

Random notes :

According to the file names, $s and $h are both passwords. You should hash them, and not passing them via the URL.
if($y || $z == 0) is unlikely to work as you think, since it will be evaluated as if y or not z in pseudo code, while you may have wanted if not y and not z for password checking.

Also, good point for calling exit() after a Location header. You should never forget that, as it is very important and may cause some trouble in your scripts if you forget them.

@harish added some tips to my answer. Not directly related to your problem, but still a good thing to read I think. — Benoit Esnard, May 13 '15 at 22:38

score 1 · Answer 2 · answered May 13 '15 at 21:27

1

Try removing / after file.php. Like index.php?i=sa

answered May 13 '15 at 21:27

hengecyche

299
1
2
16

header() not working in php when the url contains parameters?

2 Answers2