I'm having a problem with the website that I'm making. I'm making a website where users will be able to go and watch a short video, after that they can Sign Up and get a link to verify their emails. The email goes to their inputted email and they have a verification link which leads to another page. That page has a button which leads to a Full Video. Now I want to prevent users from viewing verify page and the page where users see full video before they verify their emails. I'm fairly new to PHP and I tried something, I think it's not that good but I'm still learning.
I wanted to redirect users when they go to localhost/verify.php and allow them to go on the page when the URL is localhost/verify.php?verified=1, that ?verified=1 URL is being sent to their emails.
But whatever I type it redirects index.php
verify.php
if (stripos($_SERVER['REQUEST_URI'], 'verify.php')){
header('Location: index.php');
}
else if (stripos($_SERVER['REQUEST_URI'], 'verify.php?verified=1')){
header('Location: verify.php');
}
Is there any way I can do this better since the users don't have register option and I'm not saving any sessions.
Even if you are not creating users, you can have a table that just represents these email addresses that contains a key, email, verified(bool), verification_token(unique string) then in the controller for the verified route you can check if that verification token exists, mark the user as verified and pass them along to the video. This also allows you to store a that token in a cookie that you could check for anytime they hit that normal endpoint without the query parameter you could still treat them as verified. It's not full on auth, but it sounds like you don't want a full blown authenticatable user for these emails
Related
I have a page/register. After the user fills in their username and password on the page, I want to redirect them to another page, /new-user, where they can fill the basic information about them. The submit button on the second page will call the API to create a new user.
In React, this is easy with react-dom-router. How do I do the same with Next.js? This Answer
provided a solution with URL queries, but I don't want the user to see ?password=NextJSisHard in the URL.
I did a simple login page using HTML, Javascript. I validate my username and password using 'CGI'. When I click login button, a script 'login.cgi' been called using 'AJAX'. It is a POST method. Once I logged into my website, I went to Inspect element in firefox and clicked Network tab. I selected my 'login.cgi' under the Network tab. When I select the login.cgi, I can see the information of Headers, Cookies, Params, Response and Timings. I clicked Params field and checked that I can view my username and password in a plain text as parameters of that cgi script. I wish to hide my password field from this Inspect element feature. How can I do this?
If the password on your storage are hashed, and you know what alghoritm is used, you can hash your password with the same hash before to send it with post.
Then you can compare this 2 hash.
But what you have seen, it's a classic network problem, you must use an ssl connection to avoid the other person in the network with some attack can read your credentials.
This is your real problem not that the user who have written his credential can see his credentials in the network debugger tab.
I am creating a user authentication system using PHP, JQuery, and AJAX. On submit, a request will be sent to 'authenticate.php' with data: username & password using AJAX. The PHP code checks a database for the record and returns 0 on success, 1 on failure. Then if the returned value is 0, the page will be redirected to the 'user private page' using 'window.location="user.php"'.
Now, the question is, is it safe and proper way to authenticate like this? Are there any security problems to use jQuery/JavaScript to redirect page?
Now, the question is, is it safe and proper way to authenticate like this?
Only if inside your user.php you check again if the user has successfully authenticated already. (This is usually where sessions come into play.)
Otherwise, of course everyone who knows the URL of user.php can access it directly.
Are there any security problems to use jquery/js to redirect page?
The only difference between window.location="user.php" (which is wrong, btw. – correct would be window.location.href="user.php") and, say, a normal link to that page, foo, is that the first one happens automatically, and the second one would require the user to click the link first.
So, it is as “secure” as if you had used a simple link. What that actually means here in this case, depends what I said above.
Depends on how secure and compliant you want you application to be. According to RFCs its not recommended to login like that, but keep the form on server side and integrate the login form on frontend (via iframe), then just redirect with redirect url and token, scopes etc to a local html which then eg. sends a window postmessage to your frontend application.
https://www.rfc-editor.org/rfc/rfc6749#page-19
If you just want to be quick and dirty you can go for window.location.href or document.location.href.
Or a bit more secure, send the user to the server and let this be redirected back, but can end up in redirection hell, as its not easy to get back to the state where the user was (including settings and stuff).
Anyways, you will always have to check for the current users's session state whatever you do afterwards with serverside (Sessions).
Since you are working with PHP already i don't recommend using JS to redirect the user. You can use PHP for that:
if($user == $db['user'] && $password == $db['password']){
$_SESSION['logged_in'] = true;
header('location:user.php');
}else{
echo 'username of password is wrong';
}
Then on your user.php file:
if(isset($_SESSION['logged_in'] && $_SESSION['logged_in'] == true){
echo 'welcome to the user page';
}else{
header('location:index.php');//Go back to login page
}
If people go directly to the user.php page, they will be redirected to the index.php page.
I run a link shortener, the users get paid for visitors which are using the short url. They see a landing page, and with a click at "skip" they are redirected. But some of my users try to cheat, instead of giving their visitors the short url like example.com/a/53425, they give them http://example.com/a/pugt.php?url=53425 with pugt.php are 2 sql queries performed:
the target url is retrieved from the database
the creator of the url gets +1 point per visitor.
That means that the visitors are redirected without seeing the ads at my landing page, and the user gets his points. Is there any way to hide this php file, or to perform this sql queries in a smarter way?
This is the source code of the "skip" button at my landing page:
$url is the id of the short url like 53425
<section class="example">
<br/>
<br/>
<center><script src="//go.padstm.com/?id=345791"></script></center>
</section>
The best way is to create a token for every url. Add a new database column named token or anything you like.
So your url should look like:
http://example.com/a/pugt.php?token=e49s73tr6198e76dg4&url=53425.
Your php script will update token every time a visitor views your ad and set the new token for next url. Without valid token no one will be able to bypass your add.
Yes Vaze the better way to deal with the hidden urls is to encrypt the url by using urlencode as it is right at your requirement. In this way the users can't understand the url and you will have what you need. And at the time of the backend php magic you need to urldecode your url in order to do the things same as you are currently doing.
I've read a several ways to redirect users to homepage, but, what if I need to redirect them just if they got to that page through a search engine like Google or Bing.
I need this because I'm building a cigar webpage and in some countries is demanded to be a certain age to view the content.
You could set a cookie or session through PHP/JavaScript on the first website visit, and check on all upcoming visits if the cookie already exists. If not, redirect them to the homepage.
In PHP you can use the function:
$_SERVER['HTTP_REFERER'];
I believe this will also retrieve the full URL you was referred from.
See: http://php.net/manual/en/reserved.variables.server.php
Ignore the above answer as I read the question wrong. Best thing to do would be store within a session. If a session key exists then do not redirect, if it doesn't then do a redirect.
<?php
session_start();
$_SESSION['existingUser'] = true;
print_r($_SESSION);
?>