Help with security check code

Hi, I have a site constructed by 3rd party software, which does allow me to change some of the code.
the I have generated pages and my own pages, the generated pages are protected by user level authorisation, which I want to extend to the non protected pages in the same directory in order to stop clients having access to these pages without login or being already logged in.
If for example they go to ferry.php, through normal login they have no problem, but if they try to access it directly I have put code in which stops them, but doesnt have the desired effect of redirecting them to login, coming up with the error, headers already sent.
Here is the code taken from a generated page that works, sends them to login, and when successful, returns the page. I include the html below the php code. there is something glaringly obvious I am not doing correctly or not understanding…(should I strip the html head code out??)
#1 correct and working:
[php]<?php

@session_start();
$_SESSION[“SkipConnectMySQL”] = “”;
require(‘qs_connection.php’);
require(‘qs_functions.php’);
//Check security login
$pagesecure_level = 3;

if (strtoupper(qsrequest(“logout”))==“Y”) {
$_SESSION[“Mtas_UserLevel”] = 0;
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_UserLogon”] = “”;
$_SESSION[“Mtas_RedirectURL”] = qssession(“firstredirecturl”);
header (“Location: ./mtas_login.php”);

exit();

}

if (qssession(“Mtas_Logon”) != “TRUE”) {
$_SESSION[“Mtas_RedirectURL”] = “./” . rawurlencode(“mtas”).".php?" . qsservervars(“QUERY_STRING”);
header (“Location: ./mtas_login.php”);

exit();

}

if (qssession(“Mtas_UserLevel”) == “”) {
$_SESSION[“Mtas_UserLevel”] = 0;
}
if (qssession(“Mtas_UserLevel”) < $pagesecure_level) {
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_RedirectURL”] = “./” . rawurlencode(“mtas”).".php?" . qsservervars(“QUERY_STRING”);
include_once(‘mtas_login.php’);

exit();

}
[/php]

#2 Not working:
[php]<?php

@session_start();
// >> START OF “after session init” [SESS001] [POST] [START] [SRV] [74927473-E5E6-47E6-9F06-64B0176D9DCB] [Mtas Data]
// << END OF “after session init” [SESS001] [POST] [STOP] [SRV] [74927473-E5E6-47E6-9F06-64B0176D9DCB] [Mtas Data] END>>
$_SESSION[“SkipConnectMySQL”] = “”;
require(‘qs_connection.php’);
require(‘qs_functions.php’);
//Check security login
$pagesecure_level = 3;

if (strtoupper(qsrequest(“logout”))==“Y”) {
$_SESSION[“Mtas_UserLevel”] = 0;
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_UserLogon”] = “”;
$_SESSION[“Mtas_RedirectURL”] = qssession(“firstredirecturl”);
header (“Location: ./mtas_login.php”);

exit();

}

if (qssession(“Mtas_Logon”) != “TRUE”) {
$_SESSION[“Mtas_RedirectURL”] = “./” . rawurlencode(“ferry”).".php?" . qsservervars(“QUERY_STRING”);
header (“Location: ./mtas_login.php”);

exit();

}

if (qssession(“Mtas_UserLevel”) == “”) {
$_SESSION[“Mtas_UserLevel”] = 0;
}
if (qssession(“Mtas_UserLevel”) < $pagesecure_level) {
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_RedirectURL”] = “./” . rawurlencode(“ferry”).".php?" . qsservervars(“QUERY_STRING”);
include_once(‘mtas_login.php’);

exit();

}
?>

Ferry Tickets body{margin:0;padding:0;} [/php]

Well, not sure what this code is really doing for you, but, a quick look at it basically notes only a couple of differences in the code. You are using some odd code to change text characters into “encoded” versions.
Why? This is normally used to encode special characters. Therefore, something like this line:
“./” . rawurlencode(“ferry”).".php
just wastes server time. Here is a link to explain it inside the PHP manual. Hope that helps.
http://php.net/manual/en/function.rawurlencode.php

So, the word “ferry” becomes “ferry”… Why call a routine just to do nothing.

Next, we can not assist you in debugging your code if we don’t know your secrets you hide in includes.
So this code:
[php]
if (strtoupper(qsrequest(“logout”))==“Y”) {
$_SESSION[“Mtas_UserLevel”] = 0;
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_UserLogon”] = “”;
$_SESSION[“Mtas_RedirectURL”] = qssession(“firstredirecturl”);
header (“Location: ./mtas_login.php”);

exit();

}
[/php]
shows us that you are doing a compare based on a class using a name of ‘qsrequest(“logout”)’.
There is no way to know what is it that by reading your code. My suggestion is to debug your code
the old faithful way. Alter it to display all of the variable first before the compare. As in the above code,
do something like this to help locate the error:
[php]
die(qsrequest(“logout”)); <-----------------------kills it here and shows you the value…
if (strtoupper(qsrequest(“logout”))==“Y”) {
$_SESSION[“Mtas_UserLevel”] = 0;
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_UserLogon”] = “”;
$_SESSION[“Mtas_RedirectURL”] = qssession(“firstredirecturl”);
header (“Location: ./mtas_login.php”);

exit();

}
[/php]
What this will allow you to do is simply follow the flow of your code and show where it fails.
In the above case, you will find out if this routine ever even executes. You do that for each
part of your code and find out what each part is starting with. Just work down the code seeing
if the inputs to each part is what you are expecting. As you “run” the page and the code starts,
you can locate the error section. My guess is that your code is correct, but, not getting the correct
inputs to do what you want.

Sorry, there was no simple fix for this. Debug it further and let us know what you find… Good luck.

Thanks for you help, I made a bit of a mistake, in showing code that works and doesnt, which might have been more helpful.
In the end I actually pasted this code to the html header of the page, and it does the job almost, which is that it stops access and redirects to logon from a direct link, although from a direct link the page after logon, is not ferry.php, but index.php. I itake your point , and will tidy up the rewurlencode.
[php]<?php

@session_start();
$_SESSION[“SkipConnectMySQL”] = “”;
require(‘qs_connection.php’);
require(‘qs_functions.php’);
//Check security login
$pagesecure_level = 3;

if (qssession(“Mtas_UserLevel”) < $pagesecure_level) {
$_SESSION[“Mtas_Logon”] = “FALSE”;
$_SESSION[“Mtas_RedirectURL”] = “./” . rawurlencode(“ferry”).".php?" . qsservervars(“QUERY_STRING”);
include_once(‘mtas_login.php’);

exit();

}
?>[/php]

Regards from ‘la Isla Bonita’ Canarias

Sponsor our Newsletter | Privacy Policy | Terms of Service