Most browsers work fine with relative URLs in the Location header. The
spec says it has to be absolute, though, and a few browsers require
it.
On Wed, 21 Jul 2004 15:11:37 -0400, Jonathan Haddad
<[EMAIL PROTECTED]> wrote:
> I've seen it work with a relative URL, which suprised me, because until
> I had saw that I would have agreed with you.
>
> Jon
>
>
>
> Chris Shiflett wrote:
>
> >--- Arnout Boks <[EMAIL PROTECTED]> wrote:
> >
> >
> >>header('Location: ' . urlencode('loginForm.php?error=Incorrect
> >>password'));
> >>
> >>
> >
> >The Location header requires an absolute URL. Also, this is the header you
> >are sending:
> >
> >Location: loginForm.php%3Ferror%3DIncorrect+password
> >
> >I doubt that's the URL you meant. URL encode the value of URL variables,
> >not the entire URL.
> >
> >Lastly, I hope you're not blindly displaying $_GET['error'] on your
> >loginForm.php page, otherwise you have a cross-site scripting
> >vulnerability.
> >
> >Hope that helps.
> >
> >Chris
> >
> >=====
> >Chris Shiflett - http://shiflett.org/
> >
> >PHP Security - O'Reilly
> > Coming Fall 2004
> >HTTP Developer's Handbook - Sams
> > http://httphandbook.org/
> >PHP Community Site
> > http://phpcommunity.org/
> >
> >
> >
>
--
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder
paperCrane --Justin Patrin--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
