A problem... how to stop someone gaining access

AliasZero

Basically i have this setup:

index.php - this file uses include()'s for header and footer graphics, sets up css files etc. etc. it has code to include the config files(database connection, authorisation etc) and to include whatever part of the site is tagged onto the url(eg index.php?action=addnews) using $_GET[].

At the moment, in the files it requests, some require other queries to make sure the user has permissions to access that area of the script. If the user has no access then it sends a header(Location: blah) to redirect the user.

My problem is that when i have a graphical theme for the site etc, which is of course included before the redirect header() is, the redirect won't work because the http headers have already been sent.

Can anyone suggest other ways of redirecting users so that its not possible for them to disable javascript etc and still get through?

Anyone?

I'm thinking that maybe i could completely rewrite the code with security in mind and that could completely avoid the circumstances that are happening at the moment.

mcgruff

Rather than ending with a header call, you could perhaps echo out a "you do not have permission to view this page" message and then a "continue" link.

Another alternative is to use output buffering - ob_start() and ob_end_flush()

I'm kind of against javascript as a rule. Don't see the point of using a language that, as you say, might not even be switched on by the end user. Was browsing a site the other day which used js to set up styles and it was a dog's breakfast with js off.

AliasZero

thanks, i'll try your second suggestion.

I can't really do the first, as it forwards to a login.php?message=noaccess or whatever, and i have a seperate error handler script to display errors etc. etc.