I am writing an inventory Management system. I am mostly complete with it. It is pretty basic, but does the job.
So now I am working on the look of it. I placed a Searchbox/Query inside a div at the top of the page. The Search works. But it only displays the result on the page that is listed.
What I want to do is have the Search redirect to this page when the button is Submitted, but It is not working. So I am wondering where to put the header("Location: loggedin.php");
I have gotten this to work in different parts of the Site, but for some reason it is not working here.
<?php
session_start();
if( isset( $_POST['Search'] ) ) {
// build a function to validate data
function validateFormData( $formData ) {
$formData = trim( stripslashes( htmlspecialchars( $formData ) ) );
return $formData;
}
$formEmail = validateFormData( $_POST['email'] );
include('connection.php');
$query = "SELECT first_name, last_name, email, card_number, pc_type
FROM
profiles WHERE email ='$formEmail'";
$result = mysqli_query( $conn, $query );
if( $formEmail == $email ) {
session_start();
$_SESSION['email'] = $email;
header("Location: profilepage2.php");
}
}
mysqli_close($conn);
?>
I do not think the HTML should matter in this case, but if I am wrong I will post it in an edit.
You can put your header("Location: your-url") anywhere in your script but it should be placed before you send any output as defined in the manual here http://php.net/manual/en/function.header.php.
You need to add exit; immediately after the header which is very important, Otherwise the script execution will not be terminated.
you must use like,
header(“Location: loggedin.php”);
exit;
If redirect is not working then try to add ob_start at the first line of your script just next to the open PHP tag like below,
<?php ob_start();
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
Related
I'm trying to pass an error message from a server side form validator in a function back to the form it was submitted in. The validator is working as it prevents the rest of the code saving it to a database as planned. However I cant get it to pass back to the form to display the error
function saveComment(){
$validate = array();
$id = isset($_POST["articleId"]) ? $_POST["articleId"] : '';
if ( isset( $_POST['saveChanges'] ) ) {
if ( $_POST['name'] == "" ){
$validate['errorMessage'] = "Please fill out your name.";
header( "Location:".HOME_PATH."/.?action=viewArticle&articleId=".$_POST['articleID']."");
}
I' trying to pass it back to this
if ( isset( $validate['errorMessage'] ) ) {
echo $validate['errorMessage'];
}
When I remove the if on the display function I get the error unidentified index
What do I need to do to get the form to display the error message. Do I need to pass the array to the function that handles the display of the article?
FEEDBACK
For anyone that may find this useful I used #OliverBS post method pretty much unaltered.
Also thank you to #lethal-guitar as he explanation has helped me understand where I went wrong and the various methods that can be used to solve this problem +1
You're setting a variable $validate for your currently executing script. Afterwards, you send a redirect header. This will cause your browser to issue a new request, thus ending the currently executing script and scrapping the variable. The new request will trigger another script invocation, where the variable is not known anymore since it only existed for the duration of the first request.
HTTP is stateless, so every variable you set on the server side will only exist until you finish your current request and respond to the client. What you need is a way to pass this variable to the script handling the second request. There are several ways to do so:
Pass a GET parameter. You could append something like "&validationError=" . $validate['errorMessage'] to the URL you're passing to the Location header, and then in the display page access it via $_GET.
Save the validation status in the $_SESSION. The PHP manual contains a lot of information about sessions (maybe you're already using them?)
Restructure your code in a way that you don't redirect on error, but on success.
Some more information on the 3rd proposal: You write one PHP-Script which displays the form and handles the form post request. If validation fails, you simply redisplay, and insert the echo statement you already have. If it suceeds, you redirect to some success page. This way, the variable will remain accessible, since it's still the same request.
On a quick glance try this
Session way
Make sure to start the session by doing session_start(); at the top of the file where saveComment is and the isset checked.
function saveComment(){
$id = isset($_POST["articleId"]) ? $_POST["articleId"] : '';
if ( isset( $_POST['saveChanges'] ) ) {
if ( $_POST['name'] == "" ){
$_SESSION['errorMessage'] = "Please fill out your name.";
header( "Location:".HOME_PATH."/.?action=viewArticle&articleId=".$_POST['articleID']."");
}
if ( isset( $_SESSION['errorMessage'] ) ) {
echo $_SESSION['errorMessage'];
}
or you can try
POST way
function saveComment(){
$id = isset($_POST["articleId"]) ? $_POST["articleId"] : '';
if ( isset( $_POST['saveChanges'] ) ) {
if ( $_POST['name'] == "" ){
$error = urlencode('Please fill out your name');
header( "Location:".HOME_PATH."/.?action=viewArticle&articleId=".$_POST['articleID']. "&error=" . $error);
}
if ( isset( $_GET['error'] ) ) {
echo urldecode($_GET['error']);
}
I have not tested this but you should get the basic idea of what to do.
When you do a header location your redirecting the user to a new page. Your going to have to either pass the error in the query string or ideally pass it as a variable in the session.
I would suggest doing this all in one file, i.e. The form and the validation as one file.
Then you can do this:
<?php
//set success to 0
$success = 0;
$errormsgs = array();
//check for post
if(isset($_POST['submit'])){
//get the data from the form post and validate it
$valid = validateFuntion($_POST['data'])
//the is function will validate the data. If it is not valid, it will add a message to $errormsgs
//check for errors
if(!$errormsgs){
//data validation was successful, do stuff
}
}//if validation fails, it will fall out of the this code block and move on
?>
<html>
<body>
<?php
//check for errors
if($errormsgs){
$content .= '<ul class="errors">';
foreach($errormsgs as $error){
$content .= "<li>" . $error . "</li>";
}
$content .= "</ul>";
echo $content;
}
?>
<form name="name" action="" method="post">
<input name="name" value="<?= (isset($_POST['data']) ? $_POST['data'] : '') ?>" type="text">
</form>
</body>
</html>
You're redirecting the user to the "error" page with the header statement. The problem is, of course, this is a completely new page, there's no state left over, so none of your variables exist any more.
There's two ways to do it, either pass it on the query string (so add &error=...) and parse that in your template, or save it to the session.
Of course, you should really be doing this before your template is presented using a different means, but that's a complete rework of your code.
I am running through a jQuery Ajax tutorial here:
http://www.charlieperrins.com/2011/03/ajax-jquery-101/
Everything works perfectly but I have a question about this piece of code:
<?php if ($_POST['user']) : ?>
<?php
$user_id = $_POST['user'];
if (isset($db_data[$user_id])) {
$data = $db_data[$user_id];
} else {
echo 'Sorry, no user data matched your request - please try again';
die;
}
?>
I am most concerned with the very first line. What does that line do? I am trying to keep all the code in 1 set of php tags but I don't know how to do that. If I knew what the first line does, I might be able to figure it out. Any help is appreciated. I am trying to reverse engineer this to fit it into my app but can't do it without knowing what that top line does.
Thanks.
All this does is continues the if block until endif.
There is no endif, so nothing in this script runs unless there is data in $_POST['user'] that doesn't evaluate to false.
I would write this a bit differently:
<?php
if (isset($_POST['user'])) {
$user_id = $_POST['user'];
if (isset($db_data[$user_id])) {
$data = $db_data[$user_id];
} else {
echo 'Sorry, no user data matched your request - please try again';
die;
}
}
?>
The first line tests if the $_POST array has a key user, and that key contains a "truthy" (non-empty, among other things) value, indicating that a form was posted to this script. If no form data was posted, the rest of the script won't execute, such as if someone browsed directly to this PHP script without using the expected form to post to it. It is a technique often used when a form posts back to the same PHP script. Upon first arriving at the script, the $_POST will be empty. When the form is posted back to the same script, different actions can be taken when it contains values.
There need only be one <?php tag:
<?php
if ($_POST['user']) {
$user_id = $_POST['user'];
if (isset($db_data[$user_id])) {
$data = $db_data[$user_id];
} else {
echo 'Sorry, no user data matched your request - please try again';
die;
}
}
?>
This is Alternative syntax for control structures
<?php if ($_POST['user']) : ?> means if $_POST['user'] evaluates to true, execute the following code.
It can be compressed down to this:
<?php if ($_POST['user']) :
$user_id = $_POST['user'];
....
Also,
if ($_POST['user']) :
should be
if (isset($_POST['user']) && !empty(trim($_POST['user']))) :
That makes sure that $_POST['user'] has been set (generally $_POST contains variables from a form), and that it is not empty even with white-space removed.
See
Alternative syntax for control structures
$_POST
empty
trim
The if ($_POST['user']) line is saying this:
If the variable $_POST['user'] exists and is set to a non-false value.
The above condition fails if $_POST['user'] is 0, false, or '' (empty string).
It also isn't safely checking that value.
You are better off using:
if (isset($_POST['user'])) && $_POST['user'] != '')
This way no warning is output when PHP has display_errors and notices turned on.
I'm aware that this topic has been covered before here on Stack, and I have looked at some answers, but I'm still a bit stuck, being fairly new to PHP. Every page on my website requires a login, and so users are redirected to a login page on page load. At the top of each page then I have:
<?
require("log.php");
include_once("config.php");
include_once("functions.php");
?>
This redirects the user to log.php (with new code added):
<?
session_name("MyLogin");
session_start();
if(isset($_SESSION['url']))
$url = $_SESSION['url']; // holds url for last page visited.
else
$url = "index.php"; // default page for
if($_GET['action'] == "login") {
$conn = mysql_connect("localhost","",""); // your MySQL connection data
$db = mysql_select_db(""); //put your database name in here
$name = $_POST['user'];
$q_user = mysql_query("SELECT * FROM users WHERE login='$name'");
if (!$q_user) {
die(mysql_error());
}
if(mysql_num_rows($q_user) == 1) {
$query = mysql_query("SELECT * FROM users WHERE login='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password']) {
$_SESSION["name"] = $name;
header("Location: http://monthlymixup.com/$url"); // success page. put the URL you want
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}
// if the session is not registered
if(session_is_registered("name") == false) {
header("Location: login.php");
}
?>
The login form is contained in login.php. The code for login.pho relevant to the PHP/log.php is:
<?
session_start();
if($_GET['login'] == "failed") {
print $_GET['cause'];
}
?>
and
<form name="login_form" id="form" method="post" action="log.php?action=login">
The answer that I came across stated that I should add:
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
to the top of each page, which I did, at the top of the page (above "require("log.php");"), and then add:
if(isset($_SESSION['url']))
$url = $_SESSION['url']; // holds url for last page visited.
else
$url = "index.php"; // default page for
to my login page, and use the following URL for redirect on successful login:
header("Location: http://example.com/$url"); // perform correct redirect.
I am not 100% where the code which stores the referring URL should go, at the top of log.php or login.php.
I have tried adding it to both, but the login page is just looping once I have entered the username and password.
I wonder if someone could help me get this working?
Thanks,
Nick
It appears that I don't have the privilege to comment on your post, so I'll do the best that I can to answer. I apologize for all of the scenarios, I'm just doing the best I can to answer on a whim.
SCENARIO 1:
If you've truly not selected a database in your code, as demonstrated here, could that potentially be your issue? Please do note, that the code below, is the code you've posted.
$db = mysql_select_db(""); //put your database name in here
SCENARIO 2:
The code below is not something I've ever used in anything I've built, might I suggest that you try replacing that line of code with the line below it?
if(session_is_registered("name") == false) { // Current
if(isset($_SESSION['name']) == false) { // Potential Replacement
SCENARIO 3:
If you're logic for the following, exists on the login.php file as well... That could potentially be your problem. Upon visiting your site, I noticed your form appears on login.php, yet your logic is posting to log.php. I'm hoping this bit of code can help rule out that "jump", as login.php might be saving itself and overwriting the $_SESSION variable you've established
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
If it's too complex to take it out of the login.php file, if you even have it there, I've put together some code that you can use to create "internal" breadcrumbs, so you can go 2 pages back in your history.
if(!isset($_SESSION['internal_breadcrumbs']))
$_SESSION['internal_breadcrumbs'] = array();
$_SESSION['internal_breadcrumbs'][] = $_SERVER['REQUEST_URI'];
$max_breadcrumbs = 5;
while(count($_SESSION['internal_breadcrumbs']) > $max_breadcrumbs)
array_shift($_SESSION['internal_breadcrumbs']);
That will create an array with a max of $max_breadcrumbs elements, with your most recent page at the end, like the following
Array
(
[internal_breadcrumbs] => Array
(
[0] => /other_page.php
[1] => /other_page.php
[2] => /other_page.php
[3] => /user_page.php <-- desired page
[4] => /login.php <-- most recent page
)
)
So now... you can setup your url to be something more like the following...
// I'm doing - 2 to accommodate for zero indexing, to get 1 from the current page
if(isset($_SESSION['internal_breadcrumbs']))
$url = $_SESSION['internal_breadcrumbs'][count($_SESSION['internal_breadcrumbs']) - 2];
else
$url = "index.php"; // default page for
All the best, and I certainly hope this has helped in some way.
IN SCENARIO 4
From the client test the login/password which ajax XMLHttpRequest with javascript code to a dedicated script for validation (do it on mode https for secure)
If response is right send the login password to your script server.
Stips : Encoding password is better secure !
Using header() function it's a bad idea.
Manual specification say ;
Remember that header() must be called before any actual output is
sent, either by normal HTML tags, blank lines in a file, or from PHP.
It is a very common error to read code with include, or require,
functions, or another file access function, and have spaces or empty
lines that are output before header() is called. The same problem
exists when using a single PHP/HTML file.
So in your case, i suggest that to use cookies with an ID generate only for the session, at the first connection its generate, and the duration of the cookie maybe for only from 2 to 10 minutes.
Regenerate cookie each time the loging.PHP is called !
Have a nice day
On my site, forms are brought in via AJAX and checked against a sessionid. I know this is not optimal, but it's working for us. If the referrer doesn't have the session ID they are redirected back to "anotherpage". I need to allow some outside URL's access the form directly.
we set the sessionid on the page with the link to the form.
Here is what we have now on the form page:
<?php
$code = $_GET['sessionid'];
if(strcmp( $code , 'XXXXX' ) != 0) {
header("Location: http://www.domain.com/anotherpage.php");
}
?>
I need to allow some outside domains direct access to the form page and am having issues with this:
(I'm putting it above the head tag on the form page)
<?php
$code = $_GET['sessionid'];
$referrer = $_SERVER['HTTP_REFERER'];
if(strcmp( $code , 'XXXXX' ) !=0) {
header("Location: http://www.domain.com/anotherpage.php");
} else {
if (preg_match("/site1.com/",$referrer)) {
header('Location: http://www.domain.com/desiredpage.php');
}
}
?>
this still bounces me back to "anotherpage.php" any ideas?
********EDIT*******
thx for the help, it works ad I requested. Now I see what I asked wasn't entirely correct. This appends the URL with =sessionid?=XXXXX. This isn't an issue on my site because I'm loading the content with .jquery .load so the URL doesn't change. I don't want the sessionid to be visible, and now it is. Can I either a) "trim" the url somehow or b) separate the two functions so they are exclusive?
if(strcmp( $code , 'XXXXX' ) !=0) {
if (preg_match("/site1.com/",$referrer)) {
header('Location: http://www.domain.com/desiredpage.php');
} else {
header("Location: http://www.domain.com/anotherpage.php");
}
}
As I read your post, you want anyone from the preg_match to get the desired page regardless of sessionID status, so you don't want to test sessionID first.
Start the if block with the preg_match test.
Your first if is checking to see if they don't have the $code and redirecting them. This will always be the case. You should probably check the $referrer first and then do the $code check.
Try reverse if with else
<?php
$code = $_GET['sessionid'];
$referrer = $_SERVER['HTTP_REFERER'];
if (preg_match("/site1.com/", $referrer)) {
header('Location: http://www.domain.com/desiredpage.php');
} else if (strcmp( $code , 'XXXXX' ) != 0) {
header("Location: http://www.domain.com/anotherpage.php");
}
?>
If I'm not misunderstanding this, the problem is in the order in which you are checking things.
If you want to allow some referrers to access the site even if they don't have the session id, you have to check for that before checking for the session id. Otherwise, they will end up being treated just like everyone else.
You can either switch the order of the conditions (first check for the referrer and then check fo the session id) or check for the referrer inside the branch in which you already know the session id is not valid.
The issue could be in your regex, it should be:
if (preg_match("/site1\.com/",$referrer))
notice escaping the dot (.)
To practice PHP and MySQL development, I am attempting to create the user registration system for an online chess game.
What are the best practices for:
How I should handle the (likely) possibility that when a user tries to register, the username he has chosen is already in use, particularly when it comes to function return values? Should I make a separate SELECT query before the INSERT query?
How to handle varying page titles?($gPageTitle = '...'; require_once 'bgsheader.php'; is rather ugly)
(An excerpt of the code I have written so far is in the history.)
Do a separate SELECT to check whether the username is already in use before attempting to INSERT.
More importantly, I would suggest something like the following structure for the script you're writing. It has a strong separation of presentation logic (e.g. HTML) from your other processing (e.g. validation, database, business logic.) This is one important aspect of the model-view-controller paradigm and is generally considered a best-practice.
<?php
// The default state of the form is incomplete with no errors.
$title = "Registration";
$form_completed = false;
$errors = array();
// If the user is submitting the form ..
if ($_POST) {
// Validate the input.
// This includes checking if the username is taken.
$errors = validate_registration_form($_POST);
// If there are no errors.
if (!count($errors)) {
// Add the user.
add_user($_POST['username'], $_POST['password']);
// The user has completed.
$form_completed = true;
// Optionally you could redirect to another page here.
} else {
// Update the page title.
$title = "Registration, again!"
}
}
?>
<html>
<head>
<title>Great Site: <?= $title ?></title>
<body>
<?php if ($form_complete): ?>
<p>Thanks for registering!</p>
<?php else: ?>
<?php if (count($errors)): ?>
<ul>
<?php foreach ($errors as $error): ?>
<li><?= $error ?></li>
<?php endforeach; ?>
</ul>
<?php endif; ?>
<form method="post">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit">
</form>
<?php endif; ?>
</body>
</html>
Well, one thing you can do instead of repeating code down near the bottom is this:
if( $result === true ) {
$gPageTitle = 'Registration successful';
$response = <p>You have successfully registered as ' . htmlspecialchars( $username ) . ' on this site.</p>';
} elseif( $result == 'exists' ) {
$gPageTitle = 'Username already taken';
$response = '<p>Someone is already using the username you have chosen. Please try using another one instead.</p>';
} else {
trigger_error('This should never happen');
}
require_once 'bgsheader.php';
echo $response;
require_once 'bgsfooter.php';
Also, you can return false rather than the string 'exists' in the function, not that it makes much difference.
Checking the error number isn't bad, I'm sure that's why it's an included feature. If you really wanted to do something different, you could check if there already is a user by that name by selecting the username. If no result exists, then insert the user, otherwise, give the error.
One thing I like to do with error handling on forms is save all the error strings into an array like $error['username'], $error['email'], etc., and then have it run through the error checking on each input individually to set all the error strings, and then have a function that does something like this:
function error($field)
{
global $error;
if(isset($error[$field]))
{
echo $error[$field];
}
}
and then call that after each field in the form to give error reporting on the form. Of course, the form page must submit to itself, but you could have all the error checking logic in a separate file and do an include if $_POST['whatever'] is set. If your form is formatted in a table or whatever, you could even do something like echo '<tr><td class="error">' . $error[$field] . '</td></tr>, and automatically insert another row directly below the field to hold the error if there is one.
Also, always remember to filter your inputs, even if it should be filtered automatically. Never pass post info directly into a DB without checking it out. I'd also suggest using the specific superglobal variable for the action, like $_POST rather than $_REQUEST, because $_REQUEST contains $_GET, $_POST, and $_COOKIE variables, and someone could feasibly do something strange like submit to the page with ?username=whatever after the page, and then you have both $_POST['username'] and $_GET['username'], and I'm not sure how $_REQUEST would handle that. Probably would make there be a $_REQUEST['username'][0] and $_REQUEST['username'][1].
Also, a bit about the page titles. Don't know if you have it set up like this but you can do something like this in your header:
$pageTitle = "My Website";
if(isset($gPageTitle))
{
$pageTitle .= "- $gPageTitle";
}
echo "<title>$pageTitle</title>";
Which would make the page load normally with "My Website" as the title, and append "- Username already exists" or whatever for "My Website - Username already exists" as the title when $gPageTitle is set.
I think the answer from Mr. Neigyl would require a separate trip to the database, which is not a good idea because it would only add performance overhead to yuor app.
I am not a PHP guru, but I know my way around it, although I don't recall the === operator. == I remember.
You could pass the function call directly into the IF statement.
if (addUser($username, $passwd));
I don't see anything wrong with using the $gPageTitle variable, but you will probably have to declare it "global" first and then use namespaces so you can actually access it within the "header.php" because "header.php" will not know how to address this page's variables.
Although I personally don't like messing with namespaces and I would rather call a function from the "header.php" and pass the page title into it
display_title($pgTitle);
or
display_title("Registration Successfull");
or
$header->display_title("Registration Successfull")
if you like OO style better
Let me know if that helps. :)
You should get into forms and allow your page to redirect to another page where you have there the 'insert username to database'.
Suppose the username entered is in a post variable such as $_POST['username'].
Have your database check where that username exist:
$res = mysql_query("SELECT * FROM table WHERE username='$_POST['username']'") or die(mysql_error());
if(mysql_num_rows($res) > 0) {
echo "Username exists.";
// more code to handle username exist
} else {
// ok here.
}
What is basically done is we check if your table already contains an existing username. mysql_num_rows($res) will return 0 if no username exist.