Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Mar 2011
    Posts
    164
    Thanks
    7
    Thanked 0 Times in 0 Posts

    How to sanitize submitted value before header function?

    I am trying to follow this tutorial and yeah, I dont know too much about PHP.

    I'm sort of hoping that it isn't too difficult to "sanitize the submitted value before passing it to the header function to prevent header injection attacks."

    The tutorial is here

    This is to have an unobtrusive dropdown list without using javascript (which I prefer):

    Code:
    <form id="page-changer" action="" method="post">
        <select name="nav">
            <option value="">Go to page...</option>
            <option value="http://css-tricks.com/">CSS-Tricks</option>
            <option value="http://digwp.com/">Digging Into WordPress</option>
            <option value="http://quotesondesign.com/">Quotes on Design</option>
        </select>
        <input type="submit" value="Go" id="submit" />
    </form>
    There is no JavaScript - the form is given an ID to be targeted later. The form now POSTs to itself, and we have added a submit button, so the form is functional. The select now has a name value, so when the submit button is pressed, it will POST a value.

    At the very top of our page, we'll check for a POST value from that form. If it is there, we'll redirect the page to that value.

    Code:
    <?php
    	if (isset($_POST['nav'])) {
    		 header("Location: $_POST[nav]");
    	}
    ?>
    Then - my question!

    Chris Coyier goes on to say (the guy that wrote the post) -

    NOTE: this is just the way-simplified PHP. You should probably sanitize that submitted value before passing it to the header function (esp. if running PHP prior to 4.4.2 or 5.1.2) to prevent "header injection" attacks.

    So - how is that done? THANKS for reading this.

  • #2
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,633
    Thanks
    0
    Thanked 649 Times in 639 Posts
    So the field is only allowed to have three specific values - to sanitize it you check that the value is one of those three -

    Code:
    <?php
    	if (isset($_POST['nav'])) {
                   if ($_POST['nav'] == "http://css-tricks.com/" ||
                       $_POST['nav'] == "http://digwp.com/" ||
                       $_POST['nav'] == "http://quotesondesign.com/")
    		 header("Location: $_POST[nav]");
    	}
    ?>
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    listerdl (01-26-2013)

  • #3
    Regular Coder
    Join Date
    Mar 2011
    Posts
    164
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by felgall View Post
    So the field is only allowed to have three specific values - to sanitize it you check that the value is one of those three -
    That's it?

    Wow! If so I just want to say that your the man. REALLY appreciate your help -

    Thanks bro.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    I'd suggest a switch though. PHP is a string based language so it is primitive which means you can switch on the string. It simply allows for easier additions should you choose in the future:
    PHP Code:
    if (isset($_POST['nav']))
    {
        switch (
    $_POST['nav'])
        {
            case 
    "http://css-tricks.com/":
            case 
    "http://digwp.com/":
            case 
    "http://quotesondesign.com/":
                
    header('Location: ' $_POST['nav']);
                break;
            default:
                
    // in case you want to do something for every other condition.
        
    }

    exit() or die() should be called right after the header unless you want the remaining script to still continue processing. Issuing a header doesn't terminate the script run, it simply tells the browser to redirect to a new location.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #5
    Regular Coder
    Join Date
    Mar 2011
    Posts
    164
    Thanks
    7
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    I'd suggest a switch though. PHP is a string based language so it is primitive which means you can switch on the string. It simply allows for easier additions should you choose in the future:
    PHP Code:
    if (isset($_POST['nav']))
    {
        switch (
    $_POST['nav'])
        {
            case 
    "http://css-tricks.com/":
            case 
    "http://digwp.com/":
            case 
    "http://quotesondesign.com/":
                
    header('Location: ' $_POST['nav']);
                break;
            default:
                
    // in case you want to do something for every other condition.
        
    }

    exit() or die() should be called right after the header unless you want the remaining script to still continue processing. Issuing a header doesn't terminate the script run, it simply tells the browser to redirect to a new location.
    Where would i put exit() or die() in this code?

    Thanks VERY MUCH by the way - I really appreciate your help. This is the only little bit of PHP within the project and you are really helping. Thanks

  • #6
    Regular Coder
    Join Date
    Mar 2011
    Posts
    164
    Thanks
    7
    Thanked 0 Times in 0 Posts
    in fact - i just realized something, i dont think this is going to work....

    the reason is b/c i have five dropdowns on the SAME page - so the sequence of this:

    Code:
    if (isset($_POST['nav']))
    {
        switch ($_POST['nav'])
        {
            case "http://css-tricks.com/":
            case "http://digwp.com/":
            case "http://quotesondesign.com/":
                header('Location: ' . $_POST['nav']);
                break;
            default:
                // in case you want to do something for every other condition.
        }
    }
    This ONLY applies to the top three dropdown choices for the dropdown list right? So if I have 5 dropdowns then I think Im out of gas - because each of the dropdows will have the same list as per the above PHP right? Is there a work around or should i just flip over to javascript?

    In other words, each dropdown has a unique list - so five dropdowns (on the same page) = five unique lists...

    Thanks

  • #7
    Regular Coder
    Join Date
    Mar 2011
    Posts
    164
    Thanks
    7
    Thanked 0 Times in 0 Posts
    OK - i think i solved it -

    I just make different classes of this

    Code:
    <select name="nav">

    so, the dropdowns are like this:


    Code:
    <select name="dropdown-1">
    Code:
    <select name="dropdown-2">
    Code:
    <select name="dropdown-3">
    Seems simple enough. I tested it and it works ok -

    Am i missing something?

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    I don't have a clue what it is you are talking about with multiple selects. So we cannot tell you if its right or not.
    exit would go where you want to halt processing. If you don't want to halt processing than you don't need to exit. If all select need to be processed, than you would not want to issue a die since you want to process all blocks before redirecting.
    If you have more options to select from, than simply add cases for them to match in the switch. That is what makes it so flexible, it is an if/elseif/else logic as it applies to a single item for comparison. It cannot perform non-equal comparisons though (but you can use the result of comparator type functions to use as a switch result).
    As for JS, it is "fun" to use it, but is unreliable for any validation. Any client controlled controlled language should automatically deem input as dirty when provided to a server side language. With something such as this issuing redirection to remote locations, I would not see a need to concern myself about client added in options, so JS is a potentially viable solution.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •