0

I have two PHP files:

1.php

<?php

...  header("location: 2.php?id=1");
?>

2.php

<?php

... echo $_GET['id'];

?>

URL from 1.php to 2.php is: http://localhost/2.php?id=1

My question. Is it possible to validate where get method coming from and accept only if from coming 1.php. But if someone in address bar changing id values then ignore? Something with $_SERVER['HTTP_REFERER'] but i'm not sure

Klapsius
  • 3,273
  • 6
  • 33
  • 56
  • `HTTP_REFERER` is the right answer, but it is easily spoofed by the client, and can be altered or blanked out by firewalls and proxies, so it's totally unreliable. Also, what do you propose to do it the user is sitting on your `2.php` page and hits the refresh key? As a user, I'd expect that to work, but your idea would mean it wouldn't. Not great for the end user. – Simba Jun 13 '16 at 14:21
  • @Simba `HTTP_REFERER` shouldn't be relied upon and here's why http://stackoverflow.com/a/6023980/ – Funk Forty Niner Jun 13 '16 at 14:27
  • *"Is it possible ... and accept only if from coming 1.php"* - Yes, with `stripos()` http://php.net/manual/en/function.stripos.php and checking what method is used. – Funk Forty Niner Jun 13 '16 at 14:29
  • @Fred-ii- - yes, that's what I said. It's unreliable. – Simba Jun 13 '16 at 14:32
  • @Simba Ah yes, indeed ;-) – Funk Forty Niner Jun 13 '16 at 14:33
  • So you switched answers to accept. [Mine's better.](http://stackoverflow.com/questions/37792056/php-accept-get-method-only-from-specific-page#comment63050925_37792056) *lol* – Funk Forty Niner Jun 13 '16 at 14:37

2 Answers2

4

Is it possible to validate where get method coming from and accept only if from coming 1.php.

Not reliably.

But if someone in address bar changing id values then ignore?

Find something else to test against. (e.g. is this a user who is logged in and authorised to view the page with that id?).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    Lordie, what's up with that suggested edit? http://stackoverflow.com/review/suggested-edits/12672987 - Edit: I myself rejected it. – Funk Forty Niner Jun 13 '16 at 14:34
0

Simple answer is no. $_SERVER['HTTP_REFERER'] is often disabled by browsers and is easily spoofed.

You can do someting close to your requirement:

<?php
 //1.php
 $id = 1;
 $key = generateKeyBasedOnId($id);
 header("location: 2.php?id=$id&key=$key");
?>

You can write generateKeyBasedOnId() function as you wanted to, but you are the only one who should known the algorithm. (For example return md5('my very secret'.$id.' string');

<?php
//2.php
if($_GET['key'] !== generatekeyBasedOnId($_GET['id'])) {
   //error
}
?>

Of course, if someone copy paste the url 2.php?id=..&key=..., it will still work. You can hide key into cookies, but it is still easilly spoofable.

You can also generate random key, save it into database, read it in 2.php and if it exists, immediately delete it. So the key can be used only once. But if someone catch your header redirect, he still could (theoreticaly) take it and use it in different browser in different country ...

Petr
  • 1,159
  • 10
  • 20