I have something like this (short version): index.php:
<?PHP
echo "<form action='process_form.php?action=do_something' method='post'>";
echo "<input type='hidden' name='return_url' value='index.php?".$_SERVER['QUERY_STRING']."'>";
?>
and now in process_form.php I have processed that form and at the end of it I put this:
<?PHP
$return_url = $_POST['return_url'];
header ("location: $return_url");
die();
?>
My question is - am I doing it right? Is it right way of processing POST forms data and redirecting back? Thing is that my return url can be anything, but I want users be redirected exactly to where they submitted that form.
Is there some security concern I should pay special attention to? Thanks
Using $_POST anywhere in your code without filtering has a potential to cause unwanted behaviour; in your case, you should be aware of response splitting attacks.
The good news is that since PHP 5.1.2 it's no longer possible to unknowingly set multiple headers in a single header() call.
That said, you could still check out the various input filters that typically ship with PHP - e.g. FILTER_VALIDATE_URL.
I would use this:
index.php
<form action="process_form.php" method="post">
<input type="hidden" name="action" value="do_something" />
<input type="submit" value="Submit" />
</form>
process_form.php
<?php
header('Location: ' . $_SERVER['HTTP_REFERER']);
?>
I don't see any problem. A hacker would gain nothing by tinkering with the POST variable. He's just messing with the HTTP response he himself is going to get. Since the request is a POST, a caching server would not save the response. Response splitting is not a potential attack vector here.
What you're doing is correct. If instead of $_POST, you were to redirect off a $_SESSION variable, then there would be multiple vulnerabilities.