PHP - passing a variable through a redirect

[Cataclysmic]

I am able to send traffic from my ad, to a page on my own website, which then automatically redirects to an offer.

I did that by setting the destination URL of the ad to

http:// mywebsite.com/testpage.php​

which contains the following code:

<?php
header( 'Location: http:// ww w.finalwebsite. com/testpage.php' ) ;
?>
​

That worked fine.
Now I want to be able to pass a variable through that redirect but I can't figure out how. Here's what I've tried....
I set the destination URL of my ad to

http:// mywebsite.com/testpage.php?variable=cataclysmic​

And that page contains the following code:

<?php
$variable = $_GET['variable'];
header( 'Location: http:// ww w.finalwebsite. com/testpage.php?variable= echo $variable; ' ) ;
?>​

I've tried a few variations on that and nothing is working. "cataclysmic" never gets through to the final page, or I get various error messages. Can anyone tell me how to do what I'm trying to do?

Thanks.

 

[Rage9]

Wrong section but...

<?php
header( 'Location: http:// ww w.finalwebsite. com/testpage.php?variable=' . $_GET['variable'] ) ;
?>

 

[indianman]

echo? No. Get the variable, then:


<?php header("Location:http://ww w.blahblah.com/pagename?variablename=$variable"); ?>

 

[Cataclysmic]

@ Rage - Perfect thanks a lot that solved the problem.

 

[ikonic]

i would also suggest parsing the get variable to stop http response splitting attacks

 

[Cataclysmic]

i would also suggest parsing the get variable to stop http response splitting attacks

Eh? I'm sure what you said is valuable information, but I have no idea what it means. If you could explain in English and/or give an example of what you mean that would be fantastic. Thanks.

 

[Rage9]

i would also suggest parsing the get variable to stop http response splitting attacks

So glad you posted an example....

I want to think he's talking about SQL injections. Someone could compromise you server with an attack by using statement you wouldn't think. You should always clean any sql statement you make just in case. Luckily there is a simple way to deal with this:

$variable = mysql_real_escape_string($_GET('variable'));
header('location:http// somewebsie .tld / phpscript.php?variable=' . $variable);

You can also clean the variable on the final page.

I'm drunk as fuck writing this but you should get the point.

 

[indianman]

^^ That's SQL injection.

HTTP Response Splitting:

PHP itself was vulnerable, it was patched.
For your code above, use htmlentities(). That should do.
Of course, you can do preg_match if you want to overkill.

 

[Aequitas]

^^ That's SQL injection.

HTTP Response Splitting:

PHP itself was vulnerable, it was patched.
For your code above, use htmlentities(). That should do.
Of course, you can do preg_match if you want to overkill.

You only need to worry about SQL injection if your running database queries in the script, if your not then no need to worry.

 

[indianman]

^^ That's correct. And the funny thing is, mysql_real_escape_string itself was vulnerable to SQL injection, for a while

I avoided mentioning it, or any other facts, because it won't have helped OP in anyway. He was just looking for a "plain English" solution.

Now, strictly speaking, response splitting attack is done by manipulating the headers. And what is the relevancy here? I leave it to you to decide.

The other closely related vulnerability, which is caused by the manipulation of form variables, can be avoided by using htmlentities(). So, I posted just that, instead of passing comment on the "SQL injection post" or the "HTTP Response splitting post". Reason: OP won't have benefitted from that in any way.

 

[ikonic]

By changing the value of the $_GET request I can split the outputted header redirect by inserting carriage returns or line breaks into the redirect

CR = %0d = \r
LF = %0a = \n

hxxp://somesite.com/redirect.php?url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22xss%27d%22)%3C/script%3E

or you can simple pass javascript into the variable (don't think mysql_real_escape_string or htmlentities will help here)

hxxp://somesite.com/redirect.php?url=javascript:alert(document.cookie);

 

[BlackMelvyn]

ikonic has put the finger on a major weakness
XSS attacks can be terrible so you must always test variables you get from GET and POST values

 

[Cataclysmic]

The last few posts in this thread are way over my head, but I have a question about the original solution posted by Rage:

<?php
header( 'Location: http:// ww w.finalwebsite. com/testpage.php?variable=' . $_GET['variable'] ) ;
?>

This has been working well for me - the variables are getting through smoothly to the destination so all is well.

I'm sending traffic like this:
Google ---> My Page With The Redirect Code ---> Affiliate Offer Page

I thought that by doing this, the advertiser (of the affiliate offer) would only see the traffic coming from my page with the redirect code, and would not be able to see the original source of my traffic (Google).

However, I've just learned that the advertiser DOES know the original source of my traffic.

• How do they know?
• And if hypothetically I wanted to prevent them from seeing the original source how would I do that?

NOTE: I'm sending legitimate traffic - this is all whitehat - I just would like to understand how it works.

Thanks.