pass value from url to url

[tableman]

I want to pass the varying value of "subid" in this url:

http://abcwebsite.php?subid=xxxxxx

into "source" in this url:

http://xyzwebsite.htm?source=xxxxxx

The latter page opens using:

Code:

<?php
header ("location:http://xyzwebsite.htm?login=apin&source=xxxxxx");
?>

However, the value of xxxxxx is not fixed (not generated by me) so I need to specify it in general terms but huntiing for clues has not turned up how to do it.

[VGR]

I thought I was clear enough ?!?

Code:

<?php
$zob=$_GET['subid']; // you should urlencode if it  can contain spaces etc
header ("location:http://xyzwebsite.htm?login=apin&source=$zob");
exit;
?>

[CrYpTiC_MauleR]

if the value of $zob is going to be an integer then its best you typecast it by doing

$zob = (int)$_GET['subid'];

otherwise opens your site to XSS and other types of attacks by creating an HTTP Response Splitting vulnerability. If $zob will not be an integer then use a strict regular expression to allow certain characters and using ^ and $ along with the 'D' modifier to ensure attacks are not possible.

[tableman]

Thank you for that suggestion, CrYpTiC_MauleR. I will use that.

 I do not control what the value is, but it is always an integer and never includes spaces..

The problem remains that I can't get source= to take on the subid value.

Including (int)$_GET['subid'] results in source=0. Without (int), source= has no value.

Yes, VGR, you were "clear enough ?!?", but I can't get your suggestion to work for the url.

That's why I started a new thread for the url issue once the email issue was resolved?!?

The following does not work for me either:

Code:

<?php header ("location:http://xyzwebsite.htm?login=apin&source=".$_GET['subid']); ?>

However, the following works to send the value of subid in an email when I include this code in the form:

Code:

<input type="hidden" name="subid" value="<?php echo htmlentities($_GET['subid']); ?>" />

So $_GET['subid'] is working to include the value in an email, but I can't get it to work for the url.

I tried a different destination url with the same non-working result.

[CrYpTiC_MauleR]

Could you edit the above post and include the URLs which each piece of code is running under?

[tableman]

The process goes like this:

A link on a site not mine is clicked opening my page whose url looks like this:

http://abcwebsite.php?subid=xxxxxx

where xxxxxx represents 6 varying digits over which I have no control.

Then a link on my page is clicked and another website page not mine opens looking like this:

http://xyzwebsite.htm?source=

Source= needs to take on the value of subid.

I have a php file which exists only for the purpose of enabling the transfer of the value of subid= to source= and does nothing else.

The only code currently in the file looks like this:

Code:

<?php header ("location:http://xyzwebsite.htm?login=apin&source=".(int)$_GET['subid']); ?>

The form on my page has nothing to do with this transfer from url to url but the email from it successfully carries the value of subid using the code mentioned in my previous post.

[CrYpTiC_MauleR]

I dont see why that would not work. What version of PHP are you using btw?

[VGR]

idem, but seeing that htmlentities() is able to get you the "correct" value, I :
- assume the $_GET['subid'] contains non-printable characters that mangle the basic typecasting or basic retrieval
- suggest that you use the redirection with htmlentities() called in stead of (int)

regards

[CrYpTiC_MauleR]

idem, but seeing that htmlentities() is able to get you the "correct" value, I :
- assume the $_GET['subid'] contains non-printable characters that mangle the basic typecasting or basic retrieval
- suggest that you use the redirection with htmlentities() called in stead of (int)

regards

htmlentities will not protect against HTTP Response Splitting but (int) will because it will make the value an integer not a string with a numeric character but an integer so no other character is allowed. Thats the safest way to protect yourself if you know the value will be an integer. htmlentities will allow non-printable characters like null bytes, newlines, carriage returns etc which will cause a security hole.

[VGR]

the problem is not protecting against security holes (there are too many of them, anyway) but to make something work, given it seems to me he has all the bits to do so.

[CrYpTiC_MauleR]

I'm sorry but I don't encourage insecure coding practices. Putting security aside to get something to work is not the way to go about coding. Getting it to work in a secure manner is though. The reason there are so many security holes in web applications is because people take the easy approach and skip security, which in turns causes headaches for everyone, the site owners, the visitors to the sites etc. All I'm trying to assure is tableman does it the correct way so it benefits him and his visitors and he knows good coding practices for future secure coding.

Example : http://www.securiteam.com/unixfocus/5ZP022A8AW.html

Depending on your PHP version you may be protected from this, but its best to force the value to be the type you want so you know nothing bad will happen. Making it an integer since you know it will be one is the best way. Your decision not mine, just please make the right one and don't get into the habit of overlooking security.

[tableman]

My site is hosted by Yahoo, so whatever PHP version they use is what it is.  I think its 4.3.11.

The value of subid consists of digits from 0 to 9 only and nothing else whatever, no spaces, no unusual characters, nothing.

When I try this anyhow:

Code:

<?php header ("location:http://xyzwebsite.htm?login=apin&source=".(htmlentities)$_GET['subid']); ?>

or

Code:

<?php
$zob=(htmlentities)$_GET['subid'];
header ("location:http://xyzwebsite.htm?login=apin&source=$zob");
?>

the page will not open.

However, this will at least open (showing source=0)

Code:

<?php header ("location:http://xyzwebsite.htm?login=apin&source=".(int)$_GET['subid']); ?>

It is not necessary for htmlentities to be included in the hidden field of the form for the subid value to be in the email.  I included it because I thought it might add security (maybe not), but it makes no difference to the performance.

Using int() may be the best for security and I appreciate the suggestion and can use that, but I still get source=0 in the url.

[CrYpTiC_MauleR]

echo out rawurlencode($_GET['subid']) before you do redirect and before you do (int) see what the value is it should not have anything but numbers. Btw does the subid start with a 0? if so 012345 will not be a valid integer 12345 will be the value. To take care of something like that us a regex

Code:

if (preg_match('/^\d+$/D', $_GET['subid']))
{
    header().....
}
else
{
    echo 'invalid characters';
}

[VGR]

I was thinking more something like this ;-)

Code:

<?php
$zob=htmlentities($_GET['subid']);
header ("location:http://xyzwebsite.htm?login=apin&source=$zob");
?>

as far as typecasting to (int), it's not very clever, as your series of digits may very well begin with a zero... wich will be stripped once converted to integer.

ex. 01234 to int = 1234 and then you're stuck

as your problem seems very "special", I don't have a lot more clues than trying to make it work for you. As far as security goes, I think we warned you many times ; this said, your script basically redirects clicks (for counting & tracking purposes, I guess) so it shouldn't be that much trouble. In theory ;-)

as for regexps, if you're not a "kleenex" programmer or masochistic, stay away from them. Use code that you will be able to read and understand in some months ;-)

[tableman]

As stated in an earlier post, when I include htmlentities:

Code:

<?php
$zob=htmlentities($_GET['subid']);
header ("location:http://xyzwebsite.htm?login=apin&source=$zob");
?>

the page will not open at all.

If I remove htmlentities and make no other change, the page opens, but there is no value for source=.