Passing variables in redirect

You're not setting the variable, just passing it.

Do this:
header( 'Location: hxxp://mylinkhere.com/?tid='. echo $_GET["tid"] ) ;

Heya, Kirk

Thanks very much for taking a punt. (Thanks, also, to Jeff, who PMed me).

No joy, though, I'm afraid. This is what I get...

Parse error: syntax error, unexpected T_ECHO in /home/filepathhere/growingbigjuicyapplesebook.php on line 2



P.S. Thanks for highlighting the missing tid= by the way. In my head I realised I would only be pulling the value of tid, but I missed a step in the execution. I may have gotten it to work and then not got any actual reporting from the affiliate network anyway. Doh!

What's with all the "echo"s?

The simplest is to do this:

header( 'Location: hxxp://mylinkhere.com/?tid=' . $_GET["tid"] );

However...raw user input should never be used. If you know exactly what form the tid should be, you can sanitize the input. At the bare minimum, use stripslashes:


$tid = stripslashes( $_GET['tid'] );
header( 'Location: hxxp://mylinkhere.com?tid=' . $tid );

Thank you very much, Steve!

Jeff sent me the very same code via PM so thanks again to him, too. Being a dumb-arse, I didn't think it worked because the tid didn't show up on the vendor page along with the hop (I'm testing this with some CB products). Of course, it does get passed ("invisibly") and a look in my reports today shows that to be true.

So thanks again.

Jeff also mentioned sanitizing further. I'm a total novice re: php so I didn't really know what that meant.

I've done a little research and I understand a bit better now. I also went over the w3schools and found the various filtering functions.

My variables are just letter/number combinations such as "sidebar," "banner01," "404page." etc.

I couldn't see any of the sanitizing functions that would remove everything except letters and numbers. (And I wouldn't have the faintest idea how to actually use that code anyway! I read this tutorial, but don't really understand it, to be honest.)

I understand the basic idea that if I don't sanitize it, then someone could come along, append some nasty string to the end of the URL and do bad stuff (the likes of which I have no idea; "bad stuff" is enough for me to understand that I'd want to avoid it, if possible! )...

My situation is that I'm going from [link on my affiliate page] to [link-tracker/redirect] to [redirect that picks up the tid].

Someone would have to know the URL of that redirect picking up the tid to do any damage, wouldn't they?

And that's not publically available because it's inside my link-tracking software. If they appended something nasty to the affiliate link, wouldn't it just get stripped out when it hit the link-tracker? I don't see any way for the link-tracker to "pass on" anything added to the URL that's "visible" on the affiliate page.

This may all be becoming a little convoluted. I don't know. :confused:



At any rate, I'm really, really appreciative of the help I've received.

Merci bien!
TheNightOwl

P.S.

I just doublechecked and the code Jeff suggested was:

$tid = strip_tags($_GET['tid']);
// you probably should further sanitize this input
header( 'Location: hxxp://mylinkhere.com/?tid=' . $tid );


- Does this do something different to stripslashes?
- Which one is better?
- Can they be used together?

I found some interesting things HERE. (Most of which I don't understand!)

Thanks!

The thing you're trying to guard against mainly is MySQL injection tactics. Hackers know that any URL with a query string is probably going to be processed by accessing a database at some point. Google "MySQL injection attack" for more information.

The short course is that the bad person will add a MySQL query to the URL in hopes of compromising the database. In order to do that, any quote marks in the URL need to be "escaped", in other words, prepended by a backslash. The stripslashes function strips out those backslashes, resulting in an invalid, hence harmless, URL.

No, they wouldn't, and therein lies the danger. People with too much time on their hands will run injection attempts on any url that they suspect is harboring a database.

Since you know the form your tid is ( alpha-numeric only ) you can use a regular expression to filter out bad requests. If the request contains illegal characters, you don't process it. So:

( strip out the spaces after the dollar signs in the variables, this editor is choking on those )

Here's what the above does:
1. get rid of any backslashes in input
2. match against a regular expression allowing only alpha-numeric, hyphens, and underscores
3. if there is no match ( ! or NOT ), go ahead and redirect. if there is a match, do nothing

Might be kind of hard to understand. What we're looking for is a false return from preg_match. We want to match any character EXCEPT ( the ^ sign in the reg expression) a-z, A-Z, 0-9, - or _. If there IS a match, this means it's an unwanted character, so the function returns true. If there is no match, it means the string has only acceptable characters so shouldn't be a danger.

Clear as mud?

BTW, strip_tags does nothing but remove HTML tags from the string, useless for our purposes.

Heya, Steve

Really appreciate your help.

Not at all. I read about MySQL injection attacks just the other day over here. I'd heard the phrase before, but didn't really know what it meant.

I don't really understand all the syntax of your code there, but from your gloss I do understand what it's supposed to achieve. (Its logic seems a little counter-intuitive at first, but I get the intended functionality.)


I tried that code. This is what I get, unfortunately...

Parse error: syntax error, unexpected T_STRING in /home/filepath/bigoldjuicyapples.php on line 6

Booooo~~~~~!

I double-checked that I'd removed the spaces. I double-checked the final semi-colon. I changed double-quotes to singles. All no go.

Not sure why.

Any ideas?



P.S. On a sidenote, when I slapped "unexpected T-STRING" into the almighty G-oracle, it returned this neat little two-page affiliate site: http://www.parse-error-unexpected-t-string.com Great, innit?

Ay yi yi. Need an extra closing parentheses on the preg_match line, sorry about that.

Dude, did I mention you rock!

Thank you very, very much. I'm super appreciative of the tech help I get from folks on this forum. Just little things here and there, but they sure do make a big difference for people like me who know enough to be dangerous and no real need or inclination (or the time!) to become an expert.

Where's that "Buy Steve a Beer" button gone?

Thanks again,
TheNightOwl