PHP - Using A .htaccess To Redirect To A Secure Site ??

This topic has been moved to Apache HTTP Server.

http://www.phpfreaks.com/forums/index.php?topic=358740.0

Hi,

Ive got a script to redirect some traffic from one site to another as follows:
Code: [Select]
$checker = $_SERVER['HTTP_REFERER'];

if($checker == "http://siteone.com) {
header("Location: http://www.sitetwo.com");
}

It works fine but when the URL is like site.com/anotherpage.php it dosen't redirect.

How can i redirect no matter what page siteone is on

I have an account on theirsite.com and I want to be able to submit my login credentials from mysite.com/page1.php and then redirect back to mysite.com/page2.php.

I've been Googling for hours now and nothing I can find works and I don't know a thing about cURL and would rather not get into it. Not to mention, I'm using free hosting for now and I don't believe I'm able to use cURL anyways.

I can get it to log in with the credentials just fine, that's no problem, but I just have no clue how to get it to redirect back to my page or just send the credentials and then staying on my page because I could work with that as well (send credentials to theirsite.com from mysite.com/page1.php and staying on mysite.com/page1.php).

Is there anyone that could give me a hand on how to do this without using cURL since my php.ini is not editable?

Thanks

This is probably some silly mistake but I can't figure out why this code isn't working. I put this at the top of my php page:

Code: [Select]
<?php
$https_url = 'https://somesite.com';
if ( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] == 'off' )
{
header('location: ' . $https_url);
exit;
}
else if ( !isset( $_SERVER['HTTPS']) && $_SERVER['SERVER_PORT'] == 443 )
{
header('location: ' . $https_url);
exit;
}
?>
When I was just trying this code out it worked and redirected to https. No errors no infinite loops...it worked perfectly. However, once our server guy actually applied the SSL to the page, the code stopped working and I get the error "The page must be viewed over a secure location." It throws the error before it processes anything on that page. I found the code online on another help forum and it worked for everyone else, so what am I doing wrong? I also tried a different version of the code that also works for everyone else but got the same error. Thanks for your help!

How do I only redirect the page when index.php is present?

I'm trying to put together a script that redirects visitors based on their IP, user agent and/or referral url. Basically I want the script to scan these three factors from the visitor, if any of them turn out to match my redirect-requirement it redirects the user. I know the code is horribly coded, I'm incredibly new to the php-scene and consider myself a complete noob. As you can see I want redirected visitors to go to google.com and un-redirected to msn.com(examples). Really thankful for all the help I can get! Right now nothing works, any suggestions?

<?php
 
function redirect($page) {
        Header( "HTTP/1.1 301 Moved Permanently" );
        header('Location: ' . $page);
        exit;
}
 
$referrals=array('pitchingit.org','referral2');
$badAgents = array("useragent1", "useragent2");
$deny = array("78.105.191..*","100.101.103..*");
 
if (in_array($_SERVER['HTTP_REFERER'], $referrals, FALSE)) 
{
        header("Location: http://www.google.com");
} 
else 
{
        header("Location: http://www.msn.com");
}  
 
if(in_array($_SERVER['HTTP_USER_AGENT'],$badAgents)) 
{
        redirect("http://www.google.com/");
        exit();
} 
 
$add=$_SERVER['REMOTE_ADDR'];
foreach ($deny as $ip) {
        if (preg_match("^.$add.*^",$ip)) {
        redirect("http://www.google.com");
        }
}
 
redirect("http://www.msn.com");
 
?>

The code below allows me to insert articles into my website without having to hard-code them in the home page.

Is this code secure?  (Someone told me I should use a switch statement instead?!)

Code: [Select]
<?php
if (isset($_GET['article'])) {
$articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php';

if(file_exists($articleFile)) {
include($articleFile);
}else{
$title = 'Article Not Found';
$content = '';
}
}else{
include('default.php');
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Dynamic Content Example</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link type="text/css" rel="stylesheet" href="css/pagelayout.css">
<link type="text/css" rel="stylesheet" href="css/dropdown.css">
</head>

<body>
<div id="wrapper" class="clearfix">
<div id="inner">
<div id="header">
<!-- DROP-DOWN MENU -->
<ul id="topMenu">
<li class="current"><a href="?article=article1">Article 1</a></li>
<li><a href="?article=article2">Article 2</a></li>
<li><a href="?article=article3">Article 3</a></li>
<!-- and so on... -->
</ul><!-- End of TOPMENU -->

</div>
<div id="left">
<p>
Other content goes here : Other content goes here : Other content goes here :
</p>
</div>
<div id="middle">
<div id="content">
<h2>MAIN CONTENT</h2>
<p>
<!-- Dynamically insert Article here using PHP include!! -->
<?php echo $content; ?>
</p>
</div>
</div>
<div id="right">
<p>
Adverting goes here : Adverting goes here : Adverting goes here :
</p>
</div>
</div>
<div id="l"></div>
<div id="r"></div>
</div>
<div id="footer">
<p>footer</p>
</div>
</body>

</html>

If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it.   

Thanks,



Debbie

OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this?

I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?

<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data"> 
Upload:<br><br> 
<input type="file" name="image"><br><br>
Image Title:<br><br> 
<input type="text" name="image_title"><br><br> 
<input type="submit" name="submit" value="Upload"> 
</form>
	
	
<?php
include("upload_file.php");

function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
		 
			 
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}

$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}

if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
			 
			 
			 			 
if (!empty($_FILES["image"]["name"])) {

$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];

		
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES 
('".$target_path."','".date("Y-m-d")."','".$title."')";

mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error()); 
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
} 
}
?>

I wrote an update script, how secure do you think it is?
By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in.

function update_file($url, $file)
{
        //Get URL content
$ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
            $data = curl_exec($ch);
            curl_close($ch);
            $new_content = $data;

//Replace with content from URL
file_put_contents($file, $new_content);
echo $new_content;
}

function get_url($file)
{

$domain = 'http://www.mysite.com/';
$folder = 'update/'; 
$ver = '2.0.1';
$full_url = ''.$domain.''.$folder.'/'.$ver.'/';
$fileu = array
(
"functions/update.php" => "".$full_url."functions/update.txt"
);

return $fileu[$file];
}

$files = array
(
'functions/update.php'
);

foreach($files as $file)
{
update_file(get_url($file),$file);
}

Hello, I want to know if my login php is secure or if it's easily hacked by anyone.


mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$gmtUnixTime = time();
$tUnixTime = $gmtUnixTime + 3600;
$sGMTMySqlString = gmdate("Y-m-d H:i:s", $tUnixTime);

// Parse the String into a new UNIX Timestamp
$tParsedTime = strtotime($sGMTMySqlString . " GMT");



$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");




$sql = "UPDATE $tbl_name SET senast = '$sGMTMySqlString' WHERE username = '$myusername'";
mysql_query($sql) or die(mysql_error());


$_SESSION['user']="$myusername";
$_SESSION['senastlog']="$sGMTMySqlString";
header("location:index.php");

}
else {
header("location:failed.php");
}

ob_end_flush();
?>

What kinds of things can I do to make Logging-In and being Logged-In *secure*??

I get the whole form validation thingy, but what about from the standpoint of how/where I store data in my database and how I keep track of who is logged in and where they can go, and so on?

Thanks,


Debbie

Hey, Some of you may have noticed me posting this morning about needing help creating a comment system and securing down my PHP,

I have been hard at work and have nearly finished my comment system all I need to do now is the post form and insert script, and I have been looking into the various suggestions for securing my PHP from Injection attacks and the likes.

However I am really really not getting it, How these attacks work, what they do or how to prevent them,

I could really use some advice, and not just a link to a article on the matter I have read about 15 of them and it still doesn't make sense to me. 

Can anyone give me some advice or an explanation.

If someone could secure this page here for me the I should be able to work out the rest. If you need my config.php file just shout.

Code: [Select]
<?php include("config/config.php");
 $data = mysql_query("SELECT * FROM blog WHERE articleid = {$_GET['articleid']} ORDER by date ASC")
 or die(mysql_error()); 
while($row = mysql_fetch_array($data))
  {
echo "<table class='main'> <tr> <td> <a href='/news.php?articleid=" . $row['articleid'] . "' class='article_title'>" . $row['title'] . "</a>
<p>" . $row['introduction'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] .  ",</td></tr></table>";
  }
?>

COMMENTS:

<?
 $data = mysql_query("SELECT * FROM comments WHERE articleid = {$_GET['articleid']} ORDER by date ASC")
 or die(mysql_error());
while($row = mysql_fetch_array($data))
  {
echo "<table class='main'><tr><td> <p>"
 . $row['comment'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] .  ",</td></tr></table>";
  }

?>


Thanks
Blaze

Are there any PHP hashes that are extremely secure and that CANNOT be reverse-engineered?

 

 

I was looking at this snake like game for jquery

http://jquery-snakey.googlecode.com/svn/trunk/index.html

Works here and I want to integrate it on my forums which is easy, but I want users who win a "highscore" be submitted into a highscores table/etc, which is very easy to do.

Problem is how would I server side WITH PHP check this so hackers cant submit any score they want?   +they can view source code of the js game.. are games like this just not possible to 100% secure them over? hackers will always beable to hack em huh?