Home/ Questions/Q 8087611
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T18:50:00+00:00

Code: <?php //initializing script, do not modify session_start(); define(‘IN_SCRIPT’, true); //so that global.php cannot

  • 0

Code:

<?php
//initializing script, do not modify
session_start();
define('IN_SCRIPT', true); //so that global.php cannot be accessed directly
$_SCRIPTNAME = 'default.php';
include 'global.php';
$db = new MyDB(); //mysql class
if(isset($_GET['action'])) {
    $action = $_GET['action'];
} elseif(isset($_SESSION['user']) && $action == "login") {
    header("Location: {$_SCRIPTNAME}?action=overview");
    exit;
} elseif($action == 'logout') {
    session_unset();
    header("Location: {$_SCRIPTNAME}?action=login");
    exit;
} else {
    header("Location: {$_SCRIPTNAME}?action=login");
    exit;
}

//display proper template for the action defined (if none found, 404)
$template = $db->selectFrom("template", null, array("name" => mysql_real_escape_string($action)));
if(!empty($template['result']['0'])) {
    $template = $template['result']['0'];
    eval("echo \"".$template['html']."\";");
} else {
    $template = $db->selectFrom("template", null, array("name" => "404"));
    $template = $template['result']['0'];
    eval("echo \"".$template['html']."\";");
}
?>

In the database, I have a table templates with a couple rows in the format name/html where name is the name of the template and html is the template itself. Eval is required AFAIK and nothing is user inputted in the templates so it should be safe.

A sample URL would be: http://localhost/default.php?action=login

My question is: why would

if(isset($_GET['action'])) {
    $action = $_GET['action'];
} elseif(isset($_SESSION['user']) && $action == "login") {
    header("Location: {$_SCRIPTNAME}?action=overview");
    exit;
} elseif($action == 'logout') {
    session_unset();
    header("Location: {$_SCRIPTNAME}?action=login");
    exit;
} else {
    header("Location: {$_SCRIPTNAME}?action=login");
    exit;
}

not redirect to default.php?action=login if the ‘user’ session is not set and the action is not logout? I’m trying to make it so users not logged in cannot access the ‘overview’ page.

Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The problem is with your if/elseif block.

    You need to separate your $action definition from the block:

    if(isset($_GET['action'])) {
    $action = $_GET['action'];
}

if(isset($_SESSION['user']) && $action == "login") {
    header("Location: {$_SCRIPTNAME}?action=overview");
    exit;
} elseif($action == 'logout') {
    session_unset();
    header("Location: {$_SCRIPTNAME}?action=login");
    exit;
} else {
    header("Location: {$_SCRIPTNAME}?action=login");
    exit;
}

    The way your code is now, it will execute the if(isset($_GET['action'])) block and then ignore the rest of the block since those are all elseifs.

    • 0