1

Topic: Using request_uri safely

Am I correct in assuming that using something along the lines of:

$redirect_url = $_SERVER['REQUEST_URI'];

for login redirection would be something akin to bending over and waiting patiently? big_smile Is there any way to parse/use that safely, so that if http_referer isn't set, there is some way to forward them to the page they actually requested, after login?


Cheers.

Re: Using request_uri safely

It actually isn't as bad as you think tongue
It's more of an issue for XSS/SQL inject, since I can put quotes, HTML, etc into the request URI. However, I don't think you can redirect people to arbitrary sites that way.
But I don't think REQUEST_URI is what you're looking for. That's data on the current page, not on any referring page. If you want to see how 1.3 deals with the issue, check out the prev_url column in the online table.

3

Re: Using request_uri safely

Smartys wrote:

But I don't think REQUEST_URI is what you're looking for. That's data on the current page, not on any referring page. If you want to see how 1.3 deals with the issue, check out the prev_url column in the online table.

Just had a quick peek at 1.3. smile Looks like it would be fairly painless to backport that? Am I correct in assuming, from my quick code browsing session, that it's placed into the pun_user array, so would also be of use elsewhere inplace of that javascript back link used in 1.2? (That thing is my bane for true XML validity). big_smile

Re: Using request_uri safely

Exactly smile

5

Re: Using request_uri safely

Cheers. smile Guess what my task is for the next hour or two. big_smile

6

Re: Using request_uri safely

Cheers Smartys. That's sorted the job a treat. smile