Re: Header - Redirect Command Not Working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 11, 2009 at 12:38, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote:
>
> One more thing to mention: The HTTP Protocoll requires you to give a
> full URL on "Location" Headers. That means that this is wrong:
> "Location: file.txt"
> and this is correct
> "Location: http://www.x.x/file.txt";
>
> Not all clients behave like yours and accept the wrong header.

    The *protocol* does not, but the HTTP/1.1 specification does.
However, it should be noted that *all* modern browsers accept relative
URI's vs. the requirement of absolute URI's.  Thus, the header is
"non-standard," but is not "wrong."  Your point is accurate, though:
it should include the full resource.

> erm .... <META> should be in a html document inside the <HEAD>, not *anywhere*.

    That's the recommended order, but it's not required.  Not even in
1982 when the spec was written.  In fact, the placement in HEAD is so
that, with the original specifications, a server would be permitted
(though again, not required) to read the META tags within HEAD to form
and send its own headers via HTTP in conjunction with the plain-text
data from the document.

> Very, very, very bad idea. You just opened a cross site scripting bug.
>
> Imagine someone opens this URL
> host/yourfile?id="><script>alert(document.cookie)</script>
>
> You must always escape any input you take.
> see http://php.net/security

    This is always true of any user-side input being sent to a script
(though the example may seem a little humorous because, if a person is
that desperate to see their cookie data, their browser truly sucks).

    Once again, for anyone who hasn't been paying attention or who
doesn't yet have the acquired knowledge from their own painful
experiences, *never* copy and paste code from this list or any other
medium.  Always evaluate it yourself first.  This list is meant for
assistance and those on it provide "pseudocode," not production-worthy
code.  The rest is, as has always been, at your own risk.

-- 
</Daniel P. Brown>
daniel.brown@xxxxxxxxxxxx || danbrown@xxxxxxx
http://www.parasane.net/ || http://www.pilotpig.net/
50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW10000

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux