PHP - How Enforce That Everything On A Page Has To Be From Https?
I want to make sure that a specific page (login.php) only has stuff from my https and none from my (or other) http sites. How can I do this?
Similar TutorialsHere's the scenario.... A Customer clicks on a product on the product page, this will open up the page for the individual product. In this example, it's a shirt. The shirt is available in many sizes and colors. The Minimum QTY for this product is : 12 . The customer can select as many sizes and colors as they want, as long they select a total of 12 (all sizes + all colors = total). After making their selections for this shirt, there is an "Add to Cart" button. I would like to run a check to make sure that the total is equal to or greater than the minimum QTY. Here is the form : Code: [Select] <?php session_start(); require("db.php"); require("functions.php"); $validid = pf_validate_number($_GET['id'], "redirect", $config_basedir); $prodsql = "SELECT * FROM products WHERE id = " . $_GET['id'] . ";"; $prodres = mysql_query($prodsql); $numrows = mysql_num_rows($prodres); $prodrow = mysql_fetch_assoc($prodres); $prodcatsql = "SELECT * FROM categories WHERE id = " . $_GET['id'] . ";"; $prodcatres = mysql_query($prodcatsql); $bulkcat = mysql_num_rows($prodcatres); if($numrows == 0) { header("Location: " . $config_basedir); } else { if($_POST['submit']) { if(!$_SESSION['SESS_ORDERNUM']) { if($_SESSION['SESS_LOGGEDIN']) { $sql = "INSERT INTO orders(customer_id, registered, date) VALUES(" . $_SESSION['SESS_USERID'] . ", 1, NOW())"; mysql_query($sql); session_register("SESS_ORDERNUM"); $_SESSION['SESS_ORDERNUM'] = mysql_insert_id(); } else { $sql = "INSERT INTO orders(registered, date, session) VALUES(0, NOW(), '" . session_id() . "')"; mysql_query($sql); session_register("SESS_ORDERNUM"); $_SESSION['SESS_ORDERNUM'] = mysql_insert_id(); } } foreach ($_POST as $name => $value) { if (substr($name, 0, 4) == 'qty_' && $value != '' && is_numeric($value)) { $arrOptions = explode('_', $name); $sizeid = $arrOptions[1]; $colorid = $arrOptions[2]; $quantity = $value; $itemsql = "INSERT INTO orderitems(order_id, product_id, size_id, color_id, quantity) VALUES (" . $_SESSION['SESS_ORDERNUM'] . ", " . $_GET['id'] . ", " . $sizeid . ", " . $colorid . ", " . $quantity . ")"; mysql_query($itemsql); } } $totalprice = $prodrow['price'] * $_POST['amountBox'] ; $updsql = "UPDATE orders SET total = total + " . $totalprice . " WHERE id = " . $_SESSION['SESS_ORDERNUM'] . ";"; mysql_query($updres); header("Location: " . $config_basedir . "showcart.php"); } else { require("header.php"); echo "<div id='adminhome'>"; echo "<form action='addtobasket.php?id=" . $_GET['id'] . "' method='POST'>"; echo "<table cellpadding='10' border='0'>"; echo "<tr>"; if(empty($prodrow['image2'])) { echo "<td width='205'><img src='store-images/no-image-large.jpg' width='200' alt='" . $prodrow['name'] . "'>"; } else { echo "<td width='205'> <img src='store-images/" . $prodrow['image2'] . "' width='200' alt='" . $prodrow['name'] . "'>"; } echo "</td>"; echo "<td>"; echo "<h1>";echo $prodrow['name'];echo "</h1>"; echo "<h2>";echo $prodrow['description'];echo "</h2>"; //echo "<pre>" . wordwrap( $prodrow['description'] , 30 ) . "</pre>"; echo "<p>";echo $prodrow['details'];echo "</p>"; echo "<br>"; if($bulkcat==0) { echo "<div id='bulk1'>"; echo "<table cellpadding='2' border='0'>"; echo "<tr>"; echo "<td>Quantity</td>"; echo "<td>12</td>"; echo "<td>24+</td>"; echo "<td>48+</td>"; echo "</tr>"; echo "<tr>"; echo "<td>Price</td>"; echo "<td>$" . money_format('%i', $prodrow['price']) . "</td>"; echo "<td>$" . money_format('%i', $prodrow['price2']) . "</td>"; echo "<td>$" . money_format('%i', $prodrow['price3']) . "</td>"; echo "</tr>"; echo "</table>"; echo "</div>"; echo "<div id='bulk2'>"; echo "<table cellpadding='2' border='0'>"; echo "<tr>"; echo "<br><div align='center'><strong>For Sizes 2XL - 5XL</strong></div>"; echo "</tr>"; echo "<tr>"; echo "<td>Quantity</td>"; echo "<td>12</td>"; echo "<td>24+</td>"; echo "<td>48+</td>"; echo "</tr>"; echo "<tr>"; echo "<td>Price</td>"; echo "<td>$" . money_format('%i', $prodrow['price4']) . "</td>"; echo "<td>$" . money_format('%i', $prodrow['price5']) . "</td>"; echo "<td>$" . money_format('%i', $prodrow['price6']) . "</td>"; echo "</tr>"; echo "</table>"; echo "</div>"; } else { echo "<div id='bulk1'>"; echo "<table cellpadding='2' border='0'>"; echo "<tr>"; echo "<td>Quantity</td>"; echo "<td>12</td>"; echo "<td>24+</td>"; echo "<td>48+</td>"; echo "</tr>"; echo "<tr>"; echo "<td>Price</td>"; echo "<td>$" . money_format('%i', $prodrow['price']) . "</td>"; echo "<td>$" . money_format('%i', $prodrow['price2']) . "</td>"; echo "<td>$" . money_format('%i', $prodrow['price3']) . "</td>"; echo "</tr>"; echo "</table>"; echo "</div>"; } echo "</td>"; echo "</tr>"; echo "</table>"; echo '<div id="basketmatrix">'; echo '<table cellpadding="1" border="1">'; echo '<tr>'; echo '<td></td>'; $arrsizes = array(); $i = 0; $result = mysql_query("SELECT DISTINCT s.id, s.size FROM sizes s INNER JOIN productoptions p ON s.id = p.sizeid WHERE p.productid = '" . $_GET['id'] . "' ORDER BY s.id"); while ($row = mysql_fetch_assoc($result)) { echo '<td class="heading">' . $row['size'] . '</td>'; $arrsizes[$i] = $row['id']; $i++; } echo '</tr>'; $i = 0; $result = mysql_query("SELECT DISTINCT c.id, c.color FROM colors c INNER JOIN productoptions p ON c.id = p.colorid WHERE p.productid = '" . $_GET['id'] . "' ORDER BY c.id"); while ($row = mysql_fetch_assoc($result)) { echo '<tr>'; echo '<td class="heading">' . $row['color'] . '</td>'; foreach ($arrsizes as $sizevalue) { echo '<td><input type="text" name="qty_' . $sizevalue . '_' . $row['id'] . '" size="5" /></td>'; } echo '</tr>'; } echo '</table>'; echo '</div>'; echo "<br>"; echo "<br>"; echo '<table>'; echo '<tr>'; echo '<td>'; echo '<p>You MUST order a total of <font color="#ff0000"><strong>(' . $prodrow['minimum'] . ')</strong></font> or more to add this item to your cart.<br>'; echo '(all colors + all sizes = total)</p>'; echo '</td>'; echo '<tr>'; echo '<td>'; echo"<input type='submit' name='submit' value='Add To Cart'>"; echo '</td>'; echo '</tr>'; echo '</table>'; echo "</form>"; echo "</div>"; } } require("footer.php"); ?> Hi friends. I have a problem with https about $_SESSION in php last time my website is working correctly with http but after change to https I can send value of session to another page
login.php session_start(); $_SESSION['user_ID'] = 8;
Action.php session_start(); echo "User ID = " . $_SESSION['user_ID'] ; //// It's not show any thing
Thank you very much for your help Hey Guys, I have a question here and I'm strugling with it, what I am trying to do is redirecting the user as soon as he opens the page to a HTTPS pagefor example. I have a really long URL for my email loginpage so instead of giving user long loink with port number and stuff I have this address "http://company.com/mail" and actualy under this mail directir there is a index.php with this code Code: [Select] <?php header('Location: https://ssl.company.com/crm/webmail/this/location'); exit; exit(); ?> it works great but the problem is it send the user to the NONE-Secure page (HTTP) instead of the secure... Does anyone know how can I go around this?! Thanks This is probably some silly mistake but I can't figure out why this code isn't working. I put this at the top of my php page: Code: [Select] <?php $https_url = 'https://somesite.com'; if ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'off' ) { header('location: ' . $https_url); exit; } else if ( !isset( $_SERVER['HTTPS']) && $_SERVER['SERVER_PORT'] == 443 ) { header('location: ' . $https_url); exit; } ?> When I was just trying this code out it worked and redirected to https. No errors no infinite loops...it worked perfectly. However, once our server guy actually applied the SSL to the page, the code stopped working and I get the error "The page must be viewed over a secure location." It throws the error before it processes anything on that page. I found the code online on another help forum and it worked for everyone else, so what am I doing wrong? I also tried a different version of the code that also works for everyone else but got the same error. Thanks for your help! so i have a number of websites on a server all work fine but when i put https://
in front of the other sites on the website's it redirects to another site on the server without changing domain name.
example:
http://www.example.com
works fine
https://www.example.com
shows another site on the server
how can i stop this?
i tryed mod rewrites in htaccess but somehow isnt working?
Anyone know how to force URL with SSL with www.
<rewrite> <rules> <rule name="Redirect to HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions><add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://www.site.com/{R:0}" redirectType="SeeOther" /> </rule> </rules> </rewrite>Please check the sample. Hello,
I cannot work out this one.
I am loading a css file on an https page as:
<link rel="stylesheet" type="text/css" href="/assets/fa687e60/jui/css/base/jquery-ui.css" />
But using the chrome element tool I see this error:
The page at 'https://mysite.com/deal/create' was loaded over HTTPS, but displayed insecure content from 'http://mysite.com/cs...bf9ee_1x400.png': this content should also be loaded over HTTPS.
Now I went in the css file and the code is like that:
.ui-state-highlight, .ui-widget-content .ui-state-highlight, I'm trying to determine the best way to provide HTTPS access to a web application that I'm building. I know that you can use the following code to redirect anyone manually accessing the http version of an https page: Code: [Select] if($_SERVER["HTTPS"] != "on") { header("HTTP/1.1 301 Moved Permanently"); header("Location: "https://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]); exit(); } I have also heard that you could use mod_rewrite in Apache to achieve similar results. The entire web application should use https so I just want to make sure that I'm setting this up correctly. Feedback on the best approach or other suggestions would be very helpful. Thanks in advance. It seems to me that this should be easy, but I can't find it in the manual or the on the web, and the values in $_SERVER don't suggest anything. Context: script A loads script B using HTTPS. Now script B has to load resources (images, style sheets, etc). Browsers often object to HTTP references from a script run by an HTTPS request, so script B should generate URLs that use HTTPS. Thus it has to know that it was loaded with HTTPS. I can do this by brute force if I have to (defining a "protocol" constant in the script itself), but I'd rather make the test automatic. Apache https setup!
Okay so i made my own SSL certificate for my localhost using these commands
OpenSSL: ( CMD > c:\xampp\apache\bin\openssl )
req -config c:\xampp\php\extras\ssl\openssl.cnf -new -out jobnow.csr -keyout jobnow.pem rsa -in jobnow.pem -out c:\jobnow.key x509 -in jobnow.csr -out jobnow.crt -req -signkey c:\jobnow.key -days 369when asked for common name type your ip address. Then i install import the certificate to certmgr.msc Restate Apache https//192.168.0.14 - Doesnt work 192.168.0.14 - Works fine Apache error log: [Wed Sep 10 12:05:41.299000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.301000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.301000 2014] [ssl:warn] [pid 7840:tid 260] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:41.373000 2014] [co warn] [pid 7840:tid 260] AH00098: pid file C:/xampp/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run? [Wed Sep 10 12:05:41.616000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.617000 2014] [ssl:warn] [pid 7840:tid 260] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:41.617000 2014] [ssl:warn] [pid 7840:tid 260] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:41.659000 2014] [mpm_winnt:notice] [pid 7840:tid 260] AH00455: Apache/2.4.7 (Win32) OpenSSL/1.0.1e PHP/5.5.9 configured -- resuming normal operations [Wed Sep 10 12:05:41.659000 2014] [mpm_winnt:notice] [pid 7840:tid 260] AH00456: Apache Lounge VC11 Server built: Nov 21 2013 20:13:01 [Wed Sep 10 12:05:41.659000 2014] [co notice] [pid 7840:tid 260] AH00094: Command line: 'c:\\xampp\\apache\\bin\\httpd.exe -d C:/xampp/apache' [Wed Sep 10 12:05:41.661000 2014] [mpm_winnt:notice] [pid 7840:tid 260] AH00418: Parent: Created child process 7032 [Wed Sep 10 12:05:42.319000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.321000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.321000 2014] [ssl:warn] [pid 7032:tid 272] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:42.645000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for localhost:80 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.646000 2014] [ssl:warn] [pid 7032:tid 272] AH01909: RSA certificate configured for 192.168.0.14:443 does NOT include an ID which matches the server name [Wed Sep 10 12:05:42.646000 2014] [ssl:warn] [pid 7032:tid 272] AH01915: Init: (localhost:80) You configured HTTPS(443) on the standard HTTP(80) port! [Wed Sep 10 12:05:42.688000 2014] [mpm_winnt:notice] [pid 7032:tid 272] AH00354: Child: Starting 150 worker threads. [Wed Sep 10 12:05:54.589000 2014] [authz_co error] [pid 7032:tid 1652] [client 192.168.0.14:3112] AH01630: client denied by server configuration: C:/xampp/htdocs/ [Wed Sep 10 12:05:54.682000 2014] [authz_co error] [pid 7032:tid 1652] [client 192.168.0.14:3112] AH01630: client denied by server configuration: C:/xampp/htdocs/favicon.icoIt says my server name does not match, So i changed the server name to: ( httpd-ssl.conf ) around line 80 ServerName 192.168.0.14:443 DocumentRoot to my httpd.conf document root My .key is in apache/conf/ssl.key my crt is in apache/conf/ssl.crt I hope this helps someone else! i had to post this after how much trouble it was causing me! (Trying to get my brain back into this old problem which I fixed but want to re-code a better way...) So I was having problems with getting some browser error when people would go to checkout because the page logo was coming from an HTTP source and the page was an HTTPS page. I created a "config" file and had this code... Code: [Select] <?php define('ENVIRONMENT', 'development'); //define('ENVIRONMENT', 'production'); // Secure Web Server Root define('SECURE_WEB_ROOT', ENVIRONMENT === 'development' ? 'http://local.dev3/' : 'https://www.mysite.com/'); ?> Then in my page I had... Code: [Select] <div id="header"> <a href="<?php echo WEB_ROOT ?>index.php"> <img id="logo" src="<?php echo SECURE_WEB_ROOT ?>images/mylogo_200x50.png" width="200" alt="My Logo" /> </a> </div> Is there a better way to do this and eliminate my Config file which is no longer needed since I learned how to create a "Virtual Server"? Debbie I am using file_get_contents with a url (http) to screen scrape certain web pages that are publicly accessible. However there are certain web pages (https) that require me to use an x509 certificate stored in my browser to make them visible. I would like to scrape them too. How would I scrape them using a php script? Thanks in Advance. This is a two part question... my previous post was surrounding an issue with Sessions, now I was told that it may be a server side issue so I contacted my host provider who said to me that sessions cookies REQUIRE https?? now this can't be valid because I've had no issues with sessions prior to this week - second part of this is, is there something I'm missing with maybe an updated versions?
PS: yes, i'm new and simply trying to learn... Should I always use HTTPS when users are inputting credit card numbers & billing info? Do you know any sites that don't use HTTPS? I just want to know if it's a total no-no for web applications. Discuss. Not sure if my title line was worded correctly, but here is what I am trying to understand... I need to hook my website up to a payment gateway to accept credit cards. After I package up the customer's payment details and send the payment gateway an XML string, their server supposedly sends back a request for more information OR it indicates a Pass/Fail message. This is where I am getting lost. If I send data over HTTPS using POST, then how am I supposed to receive a message back from them? It's not like we are on the telephone and there is a "live" link between my web server and theirs?! Can someone please explain how this works? Thanks, Debbie Hi Everyone,
I am really struggling with this.....Cannot find a solution anywhere.
I have a website with SSL installed.
I would like to force SSL on the whole website but not on 2 urls.
If my whole site is https://mysite.com
and the 2 urls to disable from the SSL a
http://mysite.com/hotels
http://mysite.com/weather
How can I do it via htaccess please?
Thank you so much,
Ben
Hello I have problem on redirecting the site to https when it comes to "www.site.com".
I made this
<rules> <rule name="Redirect site.com to www" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" /> <conditions> <add input="{HTTP_HOST}" pattern="site.co" /> </conditions> <action type="Redirect" url="https://www.site.co/{R:0}" /> </rule> </rules>In this sample when I try to access the site through "site.com" it redirect to " https://www.site.com " but when I access the site to www.site.com the https doesn't appear. Hi all "im new here" Hoping someone can help me with this peculiar problem. I have a vps running Plesk (9.5.4) + PHP 5.3 For the domain I am working on, I have specified additional directories to the PHP include_path via vhost conf file. One of those directories is outside of webroot, so is same level as httpdocs. eg: :/var/www/vhosts/example.com/outer_includesMy scripts are able to include PHP files, using require, include etc from the directory added to PHP's include, so I know that its working perfectly. Problem I have is that if I call a script with HTTPS, I get require_once fatals, as for some reason the includes no longer work. --------------------------------------------------- eg: include_me.php lives in a directory on same level as httpdocs, which has been added to PHP include directories. /var/www/vhosts/example.com/outer_includes/include_me.phpscript.php contains: <?php require_once('include_me.php'); ?>Calling: http://www.example.com/script.php This works as expected. Calling: https://www.example.com/script.php This fails with fatal on the require_once() --------------------------------------------------- I am self taught and fully expect this to be another hole in my knowledge but I can't seem to fill this one by asking Google. Can anyone advise? Would be very grateful Boreas Edited by Boreas, 02 September 2014 - 04:20 PM. I am relatively new to php and am working on a small project for myself where I need to make a secure https connection to my supplier's web server and have to pass a data string to the server using the POST method. I've googled 'using php to make https connections', but am having difficulty getting started in learning about this process. The PHP manual is somewhat too 'techie' for my level. Does anyone have a suggestion where I can get started? Thanks. Hi guys.. i am not very sure where to post about this issue but im giving a try and hope to get some ideeas where this might come maybe. So i have a small website with a members database.. the website itself it has SSL and works properly on a https connection. The problem comes when a member tries to access via http. Unfortunetaly on a page i have to keep it http due to some ads that i display there and dont work on https. If a member logs in and surfs the website via https everything is working perfectly.. but when he changes and tries to access via http he automatically gets logged out.. if he tries to login via http he also cant and gets an error with an invalid token. So basically i think my database cant connect when accessed by http.. Any of you ever encountered this issue ? Or maybe have some ideeas where this issue is coming from ?
Thanks and any ideea or help very appreciated |