PHP: How to check if URL link contains variable to prevent redirecting (rest of code working)

Question

I am new to PHP and hope someone can help me with this.

I am trying to cover the following scenarios in a header file that is included on all my pages:

IF session variable "status" is not set AND page name is not "login" or "user" THEN redirect to login page.
IF session variable "status" is not set AND page name is "user" AND variable "resetToken" is not set THEN redirect to login page.

So far I have the below which works for all pages when accessing them from the browser but when I use a link from an email like the following I still get redirected even if the link contains the variable "resetToken":

Example link: https://www.myurl.com/user.php?resetToken=abcde

My PHP (in header include):

$baseURL = "https://www.myurl.com";
$pageURL = basename($_SERVER["REQUEST_URI"]);
$pageName = pathinfo(parse_url($pageURL, PHP_URL_PATH), PATHINFO_FILENAME);

if( (!isset($_SESSION["status"])) && ($pageName != "login") && ($pageName != "user") ){
    header("Location: " . $baseURL . "/login.php");
    exit;
}
if( (!isset($_SESSION["status"])) && ($pageName == "user") && (!isset($_GET["resetToken"])) ){
    header("Location: " . $baseURL . "/login.php");
    exit;
}

I have two questions regarding this:

Does $_GET not work when accessing a page through an email link or do I have to change something else here ?
Is there a way to combine these checks in one IF statement instead of having two in a row ?

Many thanks for any help, Mike

Of course you can combine the the `if`s. You should consider the readability disadvantage when doing so. URL parameters in emails are sometimes hampered by implicit linebreaks (auto-breaking at 72 characters or less in some clients for plain text mails). — mario, Jul 11 '15 at 12:57

score 1 · Answer 1 · answered Jul 11 '15 at 12:54

$baseURL = "https://www.myurl.com";
$pageURL = basename($_SERVER["REQUEST_URI"]);
$pageName = pathinfo(parse_url($pageURL, PHP_URL_PATH), PATHINFO_FILENAME);

if( (!isset($_SESSION["status"])) && 
    ($pageName != "login") && 
    ($pageName != "user")   
     ||  
    (!isset($_SESSION["status"])) && 
    ($pageName == "user") && 
    (!isset($_GET["resetToken"]))
    )
    {
       header("Location: " . $baseURL . "/login.php");
       exit;
    }

You have 2 if conditions and you are redirecting to same page... You can combine them into 1 if condition.

score 1 · Accepted Answer · answered Jul 11 '15 at 12:54

1

$_GET does work no matter where the url was clicked
combining the two statements is easy, just wrap them with () and combine them with ||

PHP

if( 
    (
        (!isset($_SESSION["status"])) && ($pageName != "login") && 
        ($pageName != "user")
    ) || (
        (!isset($_SESSION["status"])) && ($pageName == "user") && 
        (!isset($_GET["resetToken"])) 
    )   
){
    header("Location: " . $baseURL . "/login.php");
    exit;
}

When it is redirecting even tho you have set the token you should dump the variable before. The code as it is should not redirect when the token is set.

answered Jul 11 '15 at 12:54

oshell

8,923
1
29
47

Thanks a lot for this ! I tried this but I am still getting redirected to the login page when the URL contains /user.php?resetToken=xyz. When dumping the variable I get NULL. Any thoughts on this ? - This even happens if I paste the URL manually in the browser so for some reason is seems it doesn't recognize the variable here. – keewee279 Jul 11 '15 at 13:04
Update: I think I know what's causing this (not sure how to fix it though): When I just use letters and numbers for the variable then it works but in my case the variable contains some hashed and encrypted information in order to reset a password and it looks like this way it doesn't recognize the variable. - The only special signs this contains are $ signs and forward slashes which is created by PHP. – keewee279 Jul 11 '15 at 13:10
that's unrelated to your question. I do not know how this variable looks. – oshell Jul 11 '15 at 13:11
I figured this out. I had to use urlencode when creating the variable for the link (in my case the variable contained hashed and encrypted information that includes some symbols) - then it is recognized properly. I am accepting this answer since it resolved to combine the 2 statements. – keewee279 Jul 11 '15 at 13:28
yeah, would you have mentioned the problem with symbols I could have told you that too :). anyway, glad it works now. – oshell Jul 11 '15 at 14:51

PHP: How to check if URL link contains variable to prevent redirecting (rest of code working)

2 Answers2