Home/ Questions/Q 3310932
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T21:49:02+00:00

This is a test engine application with 5 papers set by me..as 5 php

  • 0

This is a test engine application with 5 papers set by me..as 5 php pages

Flow of the application

Login.html

check.php // to check whether credentials r right

if correct then

main.php //user clicks on “take test” in this page which displays him 1 of the 5 papers…

but once i am logged in i can just change the url to the url of the test paper i want..the paper names r 1.php 2.php….

how do i stop this…??

if(!isset($_SESSION['page'])//Tp
        continue;           //Tp
else
 {
   header('Location:login.php');
   exit;
 }                               //Tp
$_SESSION['page']=$_SERVER['SCRIPT_NAME'];//tp

is this correct…as i said there are 5 pages….

in eac page i have this code….

i check whether the Session variable is set….if it is set…it means it already has visited the page…..but this code doesnt work…did i use the variable _SESSION[‘page’]
before declaring it???

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The problems you’re having could mostly be solved by arranging your code around a default handler script. (see my guidelines below.)

    There are two basic ways to pass information to such a script (as I said in a comment above). The basic way is via a GET variable, like http://www.example.com/main.php?p=1.

    If you want to have more visitor-friendly URLs, you can use a RewriteRule in an .htaccess file to convert the nice URLs into the URLs that your handler will understand. (You’ll need mod_rewrite enabled.)

    This may be overkill for this particular question, but here are a few guidelines for secure web apps. I think they’re all relevant:

    1. Put your sensitive information outside of the public web root.
    2. By default, don’t display any information. Only enable the displaying of information if the user is positively authorized.
    3. Ideally, this includes URLs (if they type in a valid URL but they’re not authorized, don’t let them know they’ve reached a valid URL). One way is to redirect (set the location header like you were doing) to the login page if they’re not authorized.
    4. Create a default handler script. This central script will include all needed files and call all the needed functions. Pass all request information to this handler, and have it output all the HTML.
    5. Requirement for #3: Encapsulate your code in functions and classes. That way, your default handler can call them when it’s ready, only if you need them, and not simply because they happened to be included. This allows you much more control over the flow of your app.
    6. Instead of echoing HTML in random places throughout your code, return all HTML output to your main handler, which will collect it and output it all in one place when it’s ready. Random echos scattered around make it easier for security holes to crop up.
    7. Don’t trust user input. If you’re going to use a value you get from $_GET or $_POST, make SURE it’s a valid value before you use it.

    Edit:

    (This is more specific and directed toward your code as it is right now)

    There are 3 reasons your code won’t run as you expect it to:

    1. You left out a closing parenthesis on the first line if(!isset($_SESSION['page']).

    2. The way your code is written, if $_SESSION['page'] is already set when the user visits the page, they will be redirected to the login page. You can fix this by putting the header('Location:login.php');
      exit;       in the if clause and removing the else clause completely:

      if(!isset($_SESSION['page'])) {
   header('Location:login.php');
   exit;
}
$_SESSION['page']=$_SERVER['SCRIPT_NAME'];

    3. You need to set $_SESSION['page'] when they first log in so they will be able to view the first page.

    I’d recommend using an integer for $_SESSION['page'] instead of the script name. That way, you can set $_SESSION['page'] to 1 when they log in, and each time they successfully view a page, increment $_SESSION['page'] by one. Consider $_SESSION['page'] to mean the next paper this user is allowed to view.

    You can set a $pageid on each paper. Each time they try to view a page, if $_SESSION['page'] is less than $pageid, don’t let them view the page.

    • 0