1

PHP newbie, I'm trying to make my site tamper proof. I want to reload the page url if somebody modifies the url in the browser address bar. One way I've thought of would be to store the page url in a session variable, to be reused in case of need.
The next page url comes from a SQL query based on user choices (and there could be dozens of them) so I don't know in advance what the url will be. What I'd like to do is recover the addresse which is transmitted to the server when the user clicks on a link (the address which Firefox shows in the bottom left hand corner when you hover over a link) and store it in a session variable. Is this possible and if so, how can I recover it with PHP ?

Horbat
  • 11
  • 2
  • 1
    That sounds like horrible usability. – Matthew Apr 22 '13 at 20:48
  • If I understand your question correctly, that value is already stored in the $_SERVER array. – Jerry Apr 22 '13 at 20:48
  • Erm... isn't this a very convoluted way of saying: I want to redirect the user back to the previous page? (If not: see Matthews answer...). – Wrikken Apr 22 '13 at 20:52
  • Thanks all. I didn't explain myself very well. What I want to do is, if I have ?a=b&b=c in the address bar and the user changes it to ?x=y&y=z and presses Enter, my code will restore the address ?a=b&b=c thus giving a seamless display of the same page - no branching to an error page like "Apologies, but the page you requested could not be found. Perhaps searching will help." @jerry :)
    It seems to me that the the $_SERVER array contains the url of page after the last refresh and the last refresh is made by the naughty user after modifying the address bar...     – Horbat Apr 23 '13 at 21:05

1 Answers1

1

You really do not need more than one URL. You can use the same URL during the whole sequence of pages, because the server knows what to do next.

Inform yourself about "finite state machines" and how they can help you achieve creating a workflow that allows only a very limited set of actions based on the choices you give to the user. You'll most likely need a session for this.

When done correctly, the user cannot tamper with the URL because all other URLs will result in 404 or something, and trying to fiddle with the one URL that accepts the users choice will only work if the step wanted is on the list of steps allowed - otherwise nothing changes.

To illustrate:

The first state is "start", and allowed transitions are "answer 1" and "answer 2". These are transitioning to two ending states with no further transitions. So whenever the user gets to the state "answered 1", there is no way he can get to the other state, apart from creating a new session, which also can be forbidden if the machine state is not tied to the session, but to the users account.

Sven
  • 69,403
  • 10
  • 107
  • 109