Hello, everyone.
Still pretty new to PHP, and I’ve got an issue that I’m sure is simple, but I’m just not seeing it. I’ve set the session to start automatically on every page in the php.ini file.
I’m trying to use PHP and JavaScript to throw and alert dialog if someone tries to tamper with a url parameter, namely “nav”. What I’m trying to do, is if the value of nav is not one of the predefined values, then the nav is changed to “home”, a message is set in a session variable, the page redirects to home, and then the message in the session becomes a JavaScript alert and is then cleared/unset.
Now, in order for this to work properly, I understand that header() cannot have anything before it. So, I’m using ob_start() at the beginning and ob_end_flush() at the end of my pages. I also have it set so that after the ob_end_flush() is where I’m using unset to clear the session variable.
I tested by changing the nav to “blah” (which is not one of the predefined values), and while the redirect is working flawlessly, the alert never happens.
Here is my index.php code:
[code]
<?php
ob_start();
?><!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<?php include(‘pageload.php’);?>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<link href=”images/root/favicon.ico” rel=”icon” hreflang=”en” charset=”UTF-8″ lang=”en” />
<title>Reunions</title>
<script language=”JavaScript” src=”scr/jquery-1.7.1.js” type=”text/javascript”></script>
<script language=”JavaScript” src=”scr/jquery.curvycorners.min.js” type=”text/javascript”></script>
<script language=”JavaScript” src=”scr/onready.js” type=”text/javascript”></script>
<link rel=”stylesheet” href=”cssfiles/allpages.css” type=”text/css” hreflang=”en” charset=”UTF-8″ dir=”ltr” lang=”en” />
</head>
<body leftmargin=”0″ topmargin=”0″ rightmargin=”0″ bottommargin=”0″ marginwidth=”0″ marginheight=”0″
onResize=”window.location.reload(false);”>
<div id=”footer_wrap”>
<?php include(“btmnav.php”);?>
</div>
<div id=”content_wrap”>
<div id=”header_wrap”>
<?php include(“topnav.php”);?>
</div>
<?php include(“$thisNav.php”);?>
</div>
</body>
</html>
<?php
ob_end_flush();
if(isset($_SESSION[‘notNice’])) {
unset($_SESSION[‘notNice’]);
}
?>
Here is my pageload.php file:
[code]
<?php
if(!isset($_GET[“nav”])) { //If a nav is not chosen, HOME is default.
$_GET[“nav”] = “home”;
}
if (!empty($_SERVER[‘HTTPS’]) && (‘on’ == $_SERVER[‘HTTPS’])) {
$uri = ‘https://’;
}
else {
$uri = ‘http://’;
}
$thisProtocol = $uri;
$uri .= $_SERVER[‘HTTP_HOST’];
$uri .= $_SERVER[‘SCRIPT_NAME’];
if (!empty($_SERVER[“QUERY_STRING”])) {
$qString = $_SERVER[‘QUERY_STRING’];
$uri .= “?”.$qString;
}
switch(strtolower($_GET[“nav”])) {
case “home”:
case “events”:
case “news”:
case “forum”:
case “register”:
case “signin”:
$thisNav = strtolower($_GET[“nav”]);
break;
default:
$thisNav = “home”;
$_SESSION[‘notNice’] = “That isn’t nice, trying to hack my site.”;
header(“Location: ” . $thisProtocol . $_SERVER[‘HTTP_HOST’] . $_SERVER[‘SCRIPT_NAME’] . “?nav=$thisNav”);
break;
}
?>
<script language=”JavaScript1.5″ type=”text/javascript”>
<?php if(isset($_SESSION[‘notNice’])) { ?>
alert(“<?php echo $_SESSION[‘notNice’]; ?>”);
<?php } ?>
</script>
Is the flush clearing the session variable? Or is the session variable even being saved?
Thanks,