PHP "restrict access to page" behavior oddity - extra "/" in URL

Report · Jun 14, 2010

I have a page with the 'Restrict Access to Page' behavior applied.

The URL that is created is like: "http://domain.com/login.php?accesscheck=%2Fprojects.php"

The %2F in front of projects.php is somehow causing the URL that shows in the browser address area to be login.php instead of projects.php after I enter the correct username and password and the browser navigates to projects.php. So you end up on the correct page, projects.php, but in your browser's address area, it shows login.php.

If I manually remove the %2F, making the accesscheck URL: "http://domain.com/login.php?accesscheck=projects.php", refresh, and put in the correct username and password, it navigates to the correct destination, projects.php, and the correct URL displays in the browser address area.

The %2F slash seems to come out of this section of code:

$MM_restrictGoTo = "login.php";

if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {

$MM_qsChar = "?";

$MM_referrer = $_SERVER['PHP_SELF'];

if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";

if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)

$MM_referrer .= "?" . $QUERY_STRING;

$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);

header("Location: ". $MM_restrictGoTo);

exit;

}

...specifically, $QUERY_STRING. It seems to have an initial "/" character, even though nothing I've coded uses it. When the DW behavior code creates $MM_referrer, and then applies urlencode(), the / gets converted to %2F.

So I'm mystified as to where this extra / comes from in $QUERY_STRING, and why it keeps the URL in the browser from correctly showing the page it navigated to (projects.php).

Report · Jun 14, 2010

Don't know which version of Dreamweaver you're using, but $QUERY_STRING is deprecated code. Replace all instances with $_SERVER['QUERY_STRING'].

Report · Jun 15, 2010

Thanks, David.

I'm using CS4.

I saw a post on a related topic also say to use $_SERVER['QUERY_STRING'], and have replaced all instances, but unfortunately, the problem remains.

Considering that $_SERVER['QUERY_STRING'] gets its value from the server (yes?), there's probably not a lot that Dreamweaver can do to control it. I don't see anywhere in the chain of Dreamweaver code that would cause this, it is more likely to be a server issue.

That being said, and you being a seasoned professional, can you think of any reason or known setting a server would have to do this?

To me, the seemingly arbitrary prepending of a / character, even if technically correct from a path perspective, seems strange. I have not run into this behavior before. I'm also still bewildered as to why the browser doesn't show the correct URL for the page being displayed. You end up looking at the projects.php page, but have the login.php URL in the address area. This happens in all my test browsers... Safari, Opera, Firefox, Chrome, all on Mac OSX 10.6.

I think I'll have to write some custom code to detect and remove the /.

Report · Jun 15, 2010

The leading slash comes from this line:

$MM_referrer = $_SERVER['PHP_SELF'];

This correctly redirects the user to the referring page when used on a live server or in a virtual host. Presumably, you're testing in a subfolder of localhost, which is why it doesn't work.

$_SERVER['PHP_SELF'] produces a site-root-relative path, such as /products/widgets.php.

Report · Jun 15, 2010

Interesting.

Actually, no, I'm testing on a live server (from a hosting company I've never used before).

I made a page to view phpinfo(), and it reports

_SERVER["PHP_SELF"]

/phpinfo.php

... so that test page proves your point, the leading slash comes from PHP_SELF.

I'm still unclear as to why this leaves the browsers in the weird state of displaying the correct destination page, but having the URL for the login page in the address field. Shouldn't having the destination as "/projects.php" or "projects.php" be the same? All this is in the site root.

I'm thinking I should probably put this question to the hosting company. Sadly their responsiveness is not so good thus far.

In the meantime, I'll try writing some code to pull out that slash.

EDIT: This seems to work:

  if ((strpos($MM_referrer, "/")) == 0) $MM_referrer=ltrim($MM_referrer, "/");

I certainly appreciate your help!

Message was edited by: mmasquith

Report · Jun 16, 2010

If your browser's address bar is not updating it could be something to do with a rewrite rule in an .htaccess file. Your hosting company should be able to advise - if not you could always change to a more responsive one!

Ed

Report · Jun 16, 2010

Hi, Ed.

No .htaccess files on the server I can see. Checked all the folders, not just httpdocs.

Now that I have the code to remove that initial /, the URL in the browser address bar is correct.

I've used the stock, unmodified 'Restrict Access to Page' behavior on several other sites without this weirdness.

I may indeed have to recommend we change hosting, jury is still out on that.

Thanks.