I would like to add sesame and verify it when user come to action page example:
if(isset($_POST["contact-us"])) {
//some code
}elseif(isset($_POST["site-feedback"])) {
//some code
}else{get_error('form');}
my current thought is to add $_SESSION["SESAMEOPEN"]["contact-us"]='uniquesalt' for say, contact-us.php then the form send to the action page to verify.
The problem I faced is : for instance the user open another page while visiting contact-us.php, the user can still reach action page by manipulate a input type="submit" name="contact-us". While method of checking redirect page seems to be able to be spoofed too.
Whats the main-stream way of verifying the action page? What I want is the user can only reach the action.php from the specific form.php .
Related
I have a page in view that has two parts actually which are accessed through # tags, like login#signin and login#signup. When the page loads for the first time it shows login form without having #signin without a problem.
So signin is not causing a problem as it loads at folder/login. But when I try to put folder/login#signup to load directly signup part it gives an error that there is no view login#signup.php. How to cope with this situation?
$this->load->view('workers/login#signup'); is not working.
When I don't put #signup it loads login form that is weird.
I'll expand more on my initial comments for the cause of this error, and how to fix things.
The cause of the issue
As mentioned throughout the comments, you cannot a view using an anchor point. For example, this does not work:
view('workers/login#signup'); // The #signup should not be here.
The documentation states:
Loading a View
To load a particular view file you will use the following method:
$this->load->view('name');
Where name is the name of your view file.
The name is the file is "name", not "name#signup".
Further down,
The .php file extension does not need to be specified unless you use something other than .php.
This implies, that when you use view('name'), CodeIgniter will, by default, load the file name.php. If you include a #signup in it, then CodeIgniter will not be able to find name#signup.php because that file does not exist.
Correct way to handle things
You mentioned you're using the form validation, so we need to ensure no value is lost during the transition process.
Here's a simplified explanation for how to handle it:
function login() {
// Data to be passed to the view (you may or may not already have this)
// More info: https://codeigniter.com/user_guide/general/views.html#adding-dynamic-data-to-the-view
$data = array();
// Validation has failed...
$this->form_validation->run() == FALSE ) {
// Set variable to redirect to #signup upon page load
$data['redirect_to_signup'] = true;
}
// Load view with $data which contains values to be passed to the view
$this->load->view('workers/login', $data);
}
In your workers/login view file, we just need to check if the redirect_to_signup value exists. If it does exist, then we can use some simple JavaScript to scroll down the #signup form:
<?php if (isset($redirect_to_signup) && $redirect_to_signup === true): ?>
<script>
var top = document.getElementById('signup').offsetTop;
window.scrollTo(0, top);
</script>
<?php endif; ?>
Because your validation object is still valid, you can use the built-in CodeIgniter functions to preload your form elements with the set_value() helper functions. For example:
<input type="text" name="email" value="<?php echo set_value('email'); ?>">
That hopefully explains how to achieve what you're after:
Validate user submitted form; and
If there are errors, reload the form with validation messages; and
Scroll down to the #signup form on the page.
One alternative is using redirect('login#signup'), but I would not recommend this method. You would need to save your form values and validation errors to the session to show them on the next page. You also run into the issue that the user might click the refresh button and all values would be lost then.
This question already has answers here:
Avoid resending forms on php pages
(6 answers)
Closed 9 years ago.
I have a webpage that contains a form that uses the POST method and references the same page it is on for submission. I am using a PHP include file that contains an if statement that runs when the submit value is set. For some reason though, after one submission, every time you refresh the page it submits the form with the previously submitted data (The browser warns of this before refreshing the page). What causes this, and what could I be doing wrong?
This is expected. You should have the form submit to a handler that has a unique URL, whether it be a query string or a different URI. One solution (of many) would be to change your form action:
<form action="?action=submit" method="post">
<input type="hidden" name="action" value="submit" />
...
and then in the PHP script handle the form, then change the context back to a URL without the hidden query string
if (!empty($_POST['action']) && $_POST['action'] == 'submit') {
// do stuff
header('Location: '.$_SERVER['SCRIPT_NAME']);
die();
}
Note the query string is not actually present in $_POST but we keep it there so browsers don't consider it to be a redirect loop.
i had the same issue with one of my pages.
the reason is that when the browser warns you that it will submit the form again, that means it is going yo be the same exact thing when you click on a submit button.
I did 2 things to avoid it but i am sure there many other ways.
1. Do not let the page echo the form again after succesfull submission of the form.
mine was like this
<?php
if(!isset($_POST['submit'])) {
include(form.php);// you can modify this according to your needs.
} else {
//display your message about what happened with the form.
}
?>
with that approach, your page will not the contaion a form to submit HOWEVER this will not prevent it from submitting on refresh.
2. if the form is submitted create a contoller input that carries a value indication that the form is already submitted. for example , place this into your form:
<?=(isset($_POST['submit']))?"" :"<input type-"hidden" name="submit_stat" value="true" />" ; ?>
and when you process your form when it is submitted check it with your php and make the script act on that variable like this:
<?php
if($_POST['submit_stat']==true) {
//do not process the form here.
//stop your script
}
?>
Another thing you can do is redirect your page to another page other than the page that handles the form. i believe this is the safest one.
Another Way to prevent this is to move the Post Data to Session, redirect, collect Post back from Session and delete Session Post Data.
if(!empty($_POST) && empty($_FILES)){
// move post to session
// redirect to same url (don't forget possible get query)
}else{
// collect post from session
// unset post from session
}
Build this as default and you should never have problems with post data.
Only exceptions are File uploads. In this case redirect *after* post processing manualy.
I have a simple controller which shows confirmations to be approved.When the users press register button confirmation page is shown.
But when users enter url as ..../confirmation without registering , the page is shown. I dont want it to be shown without registering.
in asp.net mvc4 this can be done with ChildActionOnly anotation.
Is it possible?
First make sure you have the session started:
<?php session_start(); ?>
OK, this seems to be quite simple - after registration, and before you redirect a user to the confirmation page, do something like this (this is pseudo-code naturally). Let's say the $user->registered() returns TRUE/FALSE as a result of registration, and $user->hasConfirmedRegistration() returns TRUE/FALSE as a result of reistration confirmation. So you should do something like:
//this should be in your registration controller/function, i.e. /users/register
if ($user->registered()) {
$_SESSION['showConfirmation'] = TRUE;
}
Then you should put this in the beggining of your function, to prevent showing your confirmation page to non-registered users.
//This should be in your confirmation controller/function,
//i.e. /users/confirm_registration:
//if user has not registered, do not show the page
if (! $_SESSION['showConfirmation']) {
header('Location: /'); // redirect to main page
return;
}
// -- enter code that handles storing confirmation, handling $_GET/$_POST etc. --
//then unset session variable, which is no longer needed
if ($user->hasConfirmedRegistration()) {
unset($_SESSION['showConfirmation']);
}
I dont fully understand what you're trying to achieve without seeing your code. But it sounds like you dont want someone to beable to access a specific page without performing an action first.
Something like this might help you.
<?php
session_start();
if(!session_is_registered(somesessionamehere)){
header("location:form.php");
}
?>
Register a session when the user submits the form, then when they go to that page it checks to see if the session is registered. If it isn't then it redirects to the previous page.
Have a look at this URL for a login based example: http://www.phpeasystep.com/phptu/6.html
As I understand, you need to check, on your confirmation page, that the user has just send registration data.
For example, if you have an input field named "login" in your form, you can check the presence and value of "login" in either $_REQUEST, $_POST or $_GET, depending on your form "method" attribute. If it's not there, the form has not been posted and you can assume that the user just entered the URL. You can redirect him to the login page.
<form method="post" action="/confirmation">
<input type="text" name="login" />
[...]
<input type="submit" />
</form>
<?php
if (!isset($_POST["login"])) {
// redirect
header("HTTP/1.0 302 Found");
header("Location: /login");
return;
}
// show confirmation
// [...]
In the settings.php i have some input for the realname,hobby,city and select tag for the languages
The html form is easy and i'm not going to copy it :)
This is the php code for the form
<?php
if(isset($_POST['submit'])){
if($this->edit->process()){
$s = 1;
}
}
if($s){echo '<p id="success">Success</p>';}
?>
This is in the view file and when the form is submit the $this->edit = the model for the updating the user data.
Everything work really good but in head.php there is this code
<?php $lang = $this->lange('global',$this->getUser->language($_SESSION['userID']));?>
With him this get the user current language and after that load the file with lange()
So if the submit is like this,the inputs and select tag are changing with what the user have choicen but the to see the new language they have to refresh the page. This is not good,because the user may be confuced that they did something wrong.
But if the form with method="POST" the page is refreshing and still with the old language
It is going to be quite hard to change all the texts in the DOM model to make the language change without redirect. I doubt it's really your desire.
You ought to make a GET method redirect after processing any POST form. So, instead of printing whatever "success" messages you have to reload the page.
Using session to store the language is not good method, the language have to be set by means of the page address - a subdomain (preferable) or a virtual directory.
How to check if the user has entered the page by clicking on the button and not from copy pasting the URL ?
For example, if a user has clicked on Register I want him/her to go to that page only by clicking the Register button and not by copy pasting the link.
Also, is it a good practice to give the page name on the address bar or should I have to hide the page. If I am hiding the page will I be able to do that ?
For example, if localhost/projname/register.php. I don't want people to see the register or login or about or anything on the address bar except localhost/projname.
Maybe check if he used $_POST, something like:
<?php
if($_SERVER['REQUEST_METHOD'] == "POST"){
// do ya thing
}
else
{
?>
<form action="index.php" method="post">
are you sure? <input type="submit" value="yes">
</form>
<?php
}
?>
You can use the HTTP_REFERER data of the $_SERVER reserved variable to see where did the user come from.
if(empty($_SERVER['HTTP_REFERER'])) {
// if we are here, the user copy pasted the url.
}
As for your second question, you can't totally "hide the page" like you're suggesting. The web server must know which page to show, so the browser must know has well.
You can however obfuscate the page name. For example you can call the page "sfhjgdjkfg" so the user won't be able to know that this is the "registering" page. But I think it's really a bad idea, why in the first place want you to hide this ?
One method is to use $_SERVER['HTTP_REFERER'] to verify that they clicked a link from your site, but this method isn't fool-proof as many Firewall and Anti-virus suites will remove the Referrer information.
A better method would be to generate a temporary session token on the pages of your site, and check for that token when the Register page is opened.
If your form uses POST parameters, the browser will pass on some POST data. You could then check
if (empty($_POST)) {
//didn't click the button, just went straight to the url
}else{
//did click the button
}