How to sanitize submitted value before header function?

listerdl · 01-26-2013, 02:07 AM

I am trying to follow this tutorial and yeah, I dont know too much about PHP.

I'm sort of hoping that it isn't too difficult to "sanitize the submitted value before passing it to the header function to prevent header injection attacks."

The tutorial is here

This is to have an unobtrusive dropdown list without using javascript (which I prefer):

Code:

<form id="page-changer" action="" method="post">
    <select name="nav">
        <option value="">Go to page...</option>
        <option value="http://css-tricks.com/">CSS-Tricks</option>
        <option value="http://digwp.com/">Digging Into WordPress</option>
        <option value="http://quotesondesign.com/">Quotes on Design</option>
    </select>
    <input type="submit" value="Go" id="submit" />
</form>

There is no JavaScript - the form is given an ID to be targeted later. The form now POSTs to itself, and we have added a submit button, so the form is functional. The select now has a name value, so when the submit button is pressed, it will POST a value.

At the very top of our page, we'll check for a POST value from that form. If it is there, we'll redirect the page to that value.

Code:

<?php
	if (isset($_POST['nav'])) {
		 header("Location: $_POST[nav]");
	}
?>

Then - my question!

Chris Coyier goes on to say (the guy that wrote the post) -

NOTE: this is just the way-simplified PHP. You should probably sanitize that submitted value before passing it to the header function (esp. if running PHP prior to 4.4.2 or 5.1.2) to prevent "header injection" attacks.

So - how is that done? THANKS for reading this.

felgall · 01-26-2013, 02:44 AM

So the field is only allowed to have three specific values - to sanitize it you check that the value is one of those three -

Code:

<?php
	if (isset($_POST['nav'])) {
               if ($_POST['nav'] == "http://css-tricks.com/" ||
                   $_POST['nav'] == "http://digwp.com/" ||
                   $_POST['nav'] == "http://quotesondesign.com/")
		 header("Location: $_POST[nav]");
	}
?>

listerdl · 01-26-2013, 03:06 AM

Quote:

Originally Posted by felgall

So the field is only allowed to have three specific values - to sanitize it you check that the value is one of those three -

That's it?

Wow! If so I just want to say that your the man. REALLY appreciate your help -

Thanks bro.

Fou-Lu · 01-26-2013, 05:26 AM

I'd suggest a switch though. PHP is a string based language so it is primitive which means you can switch on the string. It simply allows for easier additions should you choose in the future:

PHP Code:


			
if (isset($_POST['nav']))
{
    switch ($_POST['nav'])
    {
        case "http://css-tricks.com/":
        case "http://digwp.com/":
        case "http://quotesondesign.com/":
            header('Location: ' . $_POST['nav']);
            break;
        default:
            // in case you want to do something for every other condition.
    }
}

exit() or die() should be called right after the header unless you want the remaining script to still continue processing. Issuing a header doesn't terminate the script run, it simply tells the browser to redirect to a new location.

listerdl · 01-27-2013, 04:56 PM

Quote:

Originally Posted by Fou-Lu

I'd suggest a switch though. PHP is a string based language so it is primitive which means you can switch on the string. It simply allows for easier additions should you choose in the future:

PHP Code:


			
if (isset($_POST['nav']))

{

    switch ($_POST['nav'])

    {

        case "http://css-tricks.com/":

        case "http://digwp.com/":

        case "http://quotesondesign.com/":

            header('Location: ' . $_POST['nav']);

            break;

        default:

            // in case you want to do something for every other condition.

    }

}

exit() or die() should be called right after the header unless you want the remaining script to still continue processing. Issuing a header doesn't terminate the script run, it simply tells the browser to redirect to a new location.

Where would i put exit() or die() in this code?

Thanks VERY MUCH by the way - I really appreciate your help. This is the only little bit of PHP within the project and you are really helping. Thanks

listerdl · 01-27-2013, 05:30 PM

in fact - i just realized something, i dont think this is going to work....

the reason is b/c i have five dropdowns on the SAME page - so the sequence of this:

Code:

if (isset($_POST['nav']))
{
    switch ($_POST['nav'])
    {
        case "http://css-tricks.com/":
        case "http://digwp.com/":
        case "http://quotesondesign.com/":
            header('Location: ' . $_POST['nav']);
            break;
        default:
            // in case you want to do something for every other condition.
    }
}

This ONLY applies to the top three dropdown choices for the dropdown list right? So if I have 5 dropdowns then I think Im out of gas - because each of the dropdows will have the same list as per the above PHP right? Is there a work around or should i just flip over to javascript?

In other words, each dropdown has a unique list - so five dropdowns (on the same page) = five unique lists...

Thanks

listerdl · 01-27-2013, 09:27 PM

OK - i think i solved it -

I just make different classes of this

Code:

<select name="nav">

so, the dropdowns are like this:

Code:

<select name="dropdown-1">

Code:

<select name="dropdown-2">

Code:

<select name="dropdown-3">

Seems simple enough. I tested it and it works ok -

Am i missing something?

Fou-Lu · 01-28-2013, 01:57 PM

I don't have a clue what it is you are talking about with multiple selects. So we cannot tell you if its right or not.
exit would go where you want to halt processing. If you don't want to halt processing than you don't need to exit. If all select need to be processed, than you would not want to issue a die since you want to process all blocks before redirecting.
If you have more options to select from, than simply add cases for them to match in the switch. That is what makes it so flexible, it is an if/elseif/else logic as it applies to a single item for comparison. It cannot perform non-equal comparisons though (but you can use the result of comparator type functions to use as a switch result).
As for JS, it is "fun" to use it, but is unreliable for any validation. Any client controlled controlled language should automatically deem input as dirty when provided to a server side language. With something such as this issuing redirection to remote locations, I would not see a need to concern myself about client added in options, so JS is a potentially viable solution.