Hi all.
I have a site where I include pages within pages. Well, for some of
the pages I want the user to be logged in, while others I don't care.
I'm doing something that I thought was not allowed by the header()
function.
!-- index.php --
html
head.../head
body
?
if ($subPage =
2006/5/30, Philip Thompson [EMAIL PROTECTED]:
?
if ($subPage = $_GET['page'])
include ($subPage);
?
Are you checking what the user is sending inside $_GET['page']? If not, your
system is vulnerable to a remote file injection.
Yes, I do tests to make sure that the file actually exists and what
not. I have just simplified my code for this example
~PT
On May 30, 2006, at 11:27 AM, Martin Alterisio wrote:
2006/5/30, Philip Thompson [EMAIL PROTECTED]:
?
if ($subPage = $_GET['page'])
include ($subPage);
?
Are
Philip Thompson wrote:
As you can see, by the time that index.php includes the subpage, it
has already outputted HTML. According to using the header() function,
you are not allowed to output any HTML *before* using header().
However, I am doing this and it is redirecting fine.
I have
Ok, I have modified my code a little bit. Stut, yes, output buffering
was on by default (4096). I *think* this will work. It appears to be
the same as before - still redirecting appropriately:
!-- index.php --
? ob_start(); ?
html
head.../head
body
?
include ($subPage);
ob_end_flush();
?
As you can see, by the time that index.php includes the subpage, it
has already outputted HTML. According to using the header() function,
you are not allowed to output any HTML *before* using header().
However, I am doing this and it is redirecting fine.
You can also always use the old
Philip Thompson wrote:
Ok, I have modified my code a little bit. Stut, yes, output buffering
was on by default (4096). I *think* this will work. It appears to be
the same as before - still redirecting appropriately:
!-- index.php --
? ob_start(); ?
html
head.../head
body
?
include ($subPage);
On May 30, 2006, at 12:52 PM, Stut wrote:
Philip Thompson wrote:
Ok, I have modified my code a little bit. Stut, yes, output
buffering was on by default (4096). I *think* this will work. It
appears to be the same as before - still redirecting appropriately:
!-- index.php --
? ob_start();
Philip Thompson wrote:
On May 30, 2006, at 12:52 PM, Stut wrote:
Philip Thompson wrote:
Ok, I have modified my code a little bit. Stut, yes, output buffering
was on by default (4096). I *think* this will work. It appears to be
the same as before - still redirecting appropriately:
!--
Philip Thompson wrote:
I was under the impression that if ob_end_flush() was not called, then
there would be a memory leak. Is this not the case?
No, it's not. All output buffers are flushed in the reverse order of
opening when the script ends.
From http://us3.php.net/ob_start :
Output
Your theory is wrong.
The correct answer is that somebody turned output_buffering ON in
php.ini (or .htaccess) so the output is not really sent until the
script finishes (up to 4096 chars).
On Tue, May 30, 2006 11:08 am, Philip Thompson wrote:
Hi all.
I have a site where I include pages
On Tue, May 30, 2006 1:21 pm, Philip Thompson wrote:
On May 30, 2006, at 12:52 PM, Stut wrote:
Philip Thompson wrote:
Ok, I have modified my code a little bit. Stut, yes, output
buffering was on by default (4096). I *think* this will work. It
appears to be the same as before - still
Hi,
I have a PHP script that uses the following code to redirect to a page of the user's
choice:
header(Location: http://www.mypage.net/;);
In examples of this type of coding in various scriots, the above line is always
followed by the statement:
exit;
I am wondering why. When executing
More than likely not. Putting an exit statement after a header redirect
is just good practice and ensures that nothing gets executed after
redirecting.
Mike
Don wrote:
Hi,
I have a PHP script that uses the following code to redirect to a page of the user's
choice:
header(Location:
14 matches
Mail list logo