1

Is it possible to detect a redirect in php, if the redirect was to itelf?

in breif; can I add a line or two of code to the top of my page to first check if the page is a redirect. If it is act on it?

PHP Final line excuted on submit

header("Location: " . $_SERVER['REQUEST_URI']);

HTML Form

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>?submit=true" method="POST">

Still green with php, so learning little by little. Basically I need to control some variables if the page was redirected but only if.

Martin
  • 22,212
  • 11
  • 70
  • 132
Lewis
  • 1,945
  • 5
  • 26
  • 52
  • 2
    Don't use `PHP_SELF` it's easily compromised. – Martin Apr 20 '16 at 10:57
  • 2
    and add an `exit` after your Location header. – Martin Apr 20 '16 at 10:58
  • @Martin: It is only a simple email form. no database and no variables are being passed through the url. – Lewis Apr 20 '16 at 10:58
  • even so, PHP_SELF can still be compromised as it simply takes the URL as presented to the user, it can have all sorts of GET statements added to it – Martin Apr 20 '16 at 10:59
  • What are you trying to achieve? Whatever you're doing, this probably isn't the proper way to do it. – Rai Apr 20 '16 at 10:59
  • If you want a form to execute on the same page you can just leave the `action` out, there is not use for it. – Tom Apr 20 '16 at 10:59
  • 2
    You can try to sniff through headers with `headers_list()` function to detect if there was a `'Location: ...'` header there on current script. – BlitZ Apr 20 '16 at 10:59
  • The goal is simply to stop resubmission of the form on page refresh. If possible I dont want to redirect at all. But I can't figure out a simple solution. I've read its better to either use ajax or redirect. – Lewis Apr 20 '16 at 11:01
  • 3
    @Beaniie http://stackoverflow.com/a/2134003/2883346 – Rai Apr 20 '16 at 11:03
  • @Rai: Isn't sessions a little overkill for a simple form? – Lewis Apr 20 '16 at 11:05
  • 1
    I think your comment re: sessions being overkill imparts a great amount that you don't really seem to understand programming with PHP, as in, you are not understanding the *potentials* that exist, you perhaps are only seeing what you would do rather than seeing what anyone and everyone else *might* do with your form? Sessions are very easy, fairly straight forward and relatively secure. Use them. – Martin Apr 20 '16 at 11:16
  • @Beaniie Token/session system would be the best approach to this. Someone could easily abuse your refresh prevention system by not passing the referer header. – Rai Apr 20 '16 at 11:19
  • Leave `action` out of your form and add `name="submit"` to your submit button... that way you will have your `?submit=sendOrSomething` at your url to GET later. – SparK Apr 20 '16 at 12:56

2 Answers2

2

If you want to prevent form resubmisson on page refresh, then your solution really, really should be to POST the form data to another page that saves the data and then uses a header("Location:...) back to the form. The user will be none the wiser and the refreshing of the form page will never cause a resubmission.

As a bonus this would also mean you would no longer need to use PHP_SELF. As a piece of bonus advice it's usually far better to use "http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'] as PHP_SELF can have extra data added by the browser / user which can cause you issues.

It is also worth reading up on how to defend yourself against CSRF attacks.

Martin
  • 22,212
  • 11
  • 70
  • 132
  • I don't understand your comment? If you have an issue with using another file, that's your perogative rather than the industry standard or the allowances of the code. – Martin Apr 20 '16 at 11:13
  • There is so much information on the subject an industry standard simply isn't apparent to a greenhorn. I did originally build the php script in a seperate document, however many seperate sources mention referencing `($_SERVER["PHP_SELF"]);`. – Lewis Apr 20 '16 at 11:20
  • 1
    They are poor sources. The more popular a language (or anything) becomes, the more people who *think* they know, will use things they heard from someone else who *thinks* they know. I would very politely underline that PHP_SELF should not be used, and the same data can be used *more securely* from the code I written in my answer, Also please take a good read of the CSRF link, that stuff is an extremely potent (and relatively easy to fix) issue many good programmers fail to comprehend. Even Youtube suffered from it.@Beaniie – Martin Apr 20 '16 at 11:23
  • Understood and acknowledged, I'll read up and revise my solution testing an implementation with your answer. – Lewis Apr 20 '16 at 11:26
  • If you must, must (really must), use the same page, use `isset($_POST["something_from_the_form"])` to know it was submitted. – SparK Apr 20 '16 at 12:58
  • @SparK `isset` is simply not-null so `!empty` is probably more useful in checking that it's been submitted and that it actually contains data. Typically it's best to run this on the submit button as that has a fairly static content – Martin Apr 20 '16 at 13:23
2

Put this in your script and have a look at it's content;

<pre>
<?php print_r($_SERVER); ?>
</pre>

This way you can find out which keys contain 'what' you can get which index has the referer or not and write your If Condition

you can use the $_SERVER['HTTP_REFERER'] to get the referer like

if(isset($_SERVER['HTTP_REFERER'])){
    $cur_p="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']
    if($_SERVER['HTTP_REFERER']==$cur_p){
        //add your code here you want to do what if current == referer
    }
}

but HTTP_REFERER index is not always set so you can also use javascript like

if(document.referrer == location.href){
    //add your code
}

let me know if this was help full

Vishal Garg
  • 86
  • 3
  • Sorry, but this is not an answer. This should be a comment (although I realise you don't have the rep to comment, yet) – Martin Apr 20 '16 at 11:33
  • This is Same I told you Print the Server Array variable to see all the index and find which index is having the referer url, you can get the value from that index, if no index is found or empty it means there is no referer – Vishal Garg Apr 20 '16 at 11:52
  • This is not the same, as the link references what the values are and what they mean. Also please add this further information in your comment to the answer, to make it more like an answer! – Martin Apr 20 '16 at 11:53
  • 1
    you can use the $_SERVER['HTTP_REFERER'] to get the referer like if(isset($_SERVER['HTTP_REFERER'])){ $cur_p="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; if($_SERVER['HTTP_REFERER']==$cur_p){ add your code here } } but HTTP_REFERER index is not always set so you can also use javascript if (document.referrer == location.href) { add your code } let me know if this was help full – Vishal Garg Apr 20 '16 at 12:14
  • Edit your anwser and put these comment details into your answer. Makes them easier to read. – Martin Apr 20 '16 at 12:21