I have various links in my website that point to a specific form.
Whenever someone fills out the form, I want to be able to know what link led them to the form.
I want to do this without having to create an individual line of PHP code for every link I create in the. Instead, I want to have some PHP code that picks up something from that link, and maybe inserts it into a hidden text box that gets its value or text from something that I tag in the link.
For example:
User clicks a link.
That link directs them to a form.
The link carries an identification that activates PHP code
When I recieve the form, I know what link was clicked to get to that form.
I want it to work with links in emails I send out as well.
Based on the information in your post, it sounds like you just want to send a token/ id.
Goto Form
Now on the form you can grab the token:
$token = $_GET['token']; // use proper testing first
Then use a switch or if statements to run whichever code you need.
<input type="hidden" value="<?php echo $token; ?>">
Additional:
As the //use proper testing first comment indicates, you should make sure the token being passed is valid and sanitized in case of attack. One option is to have tokens stored in a database when generated and then compared when validating. Also look into htmlspecialchars() and even strip_tags() for sanitizing.
If the token fails to validate, you should not output and should even have a warning message/redirect that there was an error.
You can use HTTP Referer to achieve this. In PHP, you can use
$referer = $_SERVER['HTTP_REFERER']
Use this for example :
if (isset($_SERVER['HTTP_REFERER']))
{
$ref = $_SERVER['HTTP_REFERER'];
}
then in your form something like:
<input type="hidden" value="<?php echo htmlspecialchars($ref, ENT_QUOTES); ?>" name="ref" />
Related
I have a search form, and the submit button looks like this:
<input type="submit" name="search_submit" value="Go"/>
I handle this form using the following php:
if (isset($_GET['search_submit'])) {
do blah
}
Works fine. But my url then includes &search_submit=Go. I do not want that to show up.
I know that to fix this, I need to remove the name attribute from my the forms input line.
But then my php no longer works and I'm not sure how to change it to handle the form. I tried changing it to:
if (isset($_GET['submit']))
and
if (isset($_GET['Go']))
But they did not work either. If anyone can help me with an answer, it would be awesome.
You cannot remove the name of the input element, as PHP would not know which value to look for. If you want to completely hide the string after the URL, use the request method POST instead of GET:
<form action='myscript.php' method='POST'>
<input type="submit" name="search_submit" value="Go"/>
</form>
Your PHP will use the following:
$_POST['search_submit']; // Instead of $_GET['search_submit'];
A good answer to when to use GET and POST can be found here.
edit: If you just want to not have the button show up in the URL, but everything else should still be there (according to your comment), you can simply remove both the value and name of the submit button.
Instead of looking for search_submit to be set, you can look for the other values:
if (isset($_GET['username'], $_GET['password'])) {
// Do your stuff here
}
If you don't want to show string in the URL, you can use the POST method. The main difference between GET and POST are listed below as :
GET:
Parameters remain in browser history because they are part of the URL
Can be bookmarked.
GET method should not be used when sending
passwords or other sensitive information.
7607 character maximum
size.
Url example: new.php?category=sport
POST:
Parameters are not saved in browser history.
Can not be bookmarked.
POST method used when sending passwords or other
sensitive information.
8 Mb max size for the POST method.
URL example: new.php
Sample Code :
if (isset($_POST["search_submit"])) {
do blah
}
If the submit button doesn't have a name, then it won't be a successful control and won't appear in the submitted data at all.
Test for the presence of data from some other field in the form instead.
I want to pass an id from one page to another when user clicks a url. There can be multiple url each corresponding to a separate id. Based on url clicked, I want to pass corresponding id and an action. Currently I am using following approach:
<a href="Process.php?action=del&id='.$id.'">
However both action and id are visible in url. Is there any way to hide this information in url and not passing it through url?
Also if I pass them using hidden fields, they can be accessed using browser dev tools. I want to make them secure so they can't be read or modified at all.
I would like to hide this for security purpose so no any user can see this
In HTML only, you'll not able to pass "hidden" variables through $_GET.
If you really want to hide some variables when a user click on a link, you can use Javascript with an auto-submitted form to use $_POST variables.
Example
<form method="POST" action="yourpage.php" id="yourform" style="display:none;">
<input type="hidden" name="hiddenfield" value="__" />
</form>
<a href="" onclick="document.getElementById('yourform').submit();return false;" />
Now, in yourpage.php, you'll be able to obtain the $_POST['hiddenfield'] value.
Edit:
I don't think it can be possible to really hide the values from dev tools. Btw, you can maybe use sessions, it will be more "secure"..
Example:
// page1.php
session_start();
$_SESSION['yourname'] = 'yourvalue';
// page2.php
session_start();
$_SESSION['yourname']; // Contains 'yourvalue'
The best way to hide id(if you mean security) is to encrypt it. You should use MCRYPT function to encrypt the id. You can encrypt both ID and your ACTION in one string and just pass this string to URL and then when you want to use it you can decrypt parameter and split it. When you connect it with MOD_REWRITE in htaccess you can get url like:
<a href="Process,Some title of yourpage,í,eHGxC•z»#”“§``"> to make it more "pretty" you can use base64 on this string.
or with base64, mcrypt and mod_rewrite
<a href="Process,SWRlYW">
to decrypt string you should use base64_decode(), mcrypt_decrypt()
You can use base64 for this (if security is really a big concern). Before passing it to the URL,
you can encode it first and then in the receiving end, you can decode it.
Check this URL : http://www.webtoolkit.info/javascript-base64.html
EDIT:
Please ignore the line above in the bracket.
Based on the comments below, base64 is really not responsible for security. Better approach is to use a server sided language to encrypt/decrypt values. Using base64 through javascript is not a good idea. Thanks Bobby.
Newby here.
Could someone show me an example of the code needed to do the following:
User pushes a button on my web site (there is no information for him to input, and no form, he just clicks on a button). I have found the following code on another post, but don't know if it is correct (I am also getting a syntax error on it):
<form action="php_file.php"><input type="submit" value="Click"></form>
The author of the above code said "Insert your PHP-Code into the file php_file.php and click the button, your file will be opened. Insert header("Location: html_file.html"); at the end of your php-file to get back to the page."
This click of the button needs to instigate the programming to grab the current URL and previous URL and insert them into the mysql database on my server. I have "PHP_SELF" and "HTTP_REFERER", but still need to get the results into mysql.
I would like to do this using only html, PHP and mysql, if possible.
Thanks to everyone for any help!
if your first file happen to be a PHP one, write this HTML form there.
<form action="php_file.php" method="POST">
<input type="hidden" name="previous" value="<?=urlencode($_SERVER['REQUEST_URI'])?>">
<input type="submit" value="Click">
</form>
and then in the php_file.php
<?
$current = $_SERVER['REQUEST_URI'];
$previous = $_POST['previous'];
though both variables will contain only partial url, without host name, schema and, possible, port. it's usually enough but if you need these absent parts, you'll have to add them manually.
as for the writing info into database and particular PHP syntax rules you have to find yourself a tutorial, because this site is devoted to answering questions, not online education nor doing someone's job for free.
With PHP, you can manage it with cookie session, first thing you'll need to do is start a session and then define the space where you'll store the URL information e.g: $_SESSION["url"]
session_start();
$_SESSION["url"]=$_SERVER['REQUEST_URI'];
And whenever you want to go to that particular page, add the header:
header('location: ' .$_SESSION["url"]. '');
Current:
$currentUrl = $_SERVER["PHP_SELF"];
Previous:
$previousUrl = $_SERVER['HTTP_REFERER'];
Note that some users may have browser preferences set that keep $_SERVER['HTTP_REFERER'] from being set, so it's possible that it would come back empty.
I'm creating a form and using it to get data input to send to a MySQL database via php. If someone hits refresh on the page Firefox ressends the last set of information to the php page which in turn sends it to the database. Is there anyway to prevent this?
To fix that problem, there exists Post/Redirect/Get pattern you need to follow :)
Post/Redirect/Get (PRG) is a common
design pattern for web developers to
help avoid certain duplicate form
submissions and allow user agents to
behave more intuitively with bookmarks
and the refresh button.
You need to do a redirect to the same page:
$current_url = (empty($_SERVER['HTTPS']) ? "http://" : "https://") . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header ('Location: ' . $current_url);
exit ();
The usual way to do this is to use a redirect.
You get the request, use the data it contains to load your database or whatever, and then perform a redirect (I think you're supposed to use a 303 redirect for this, but I've heard of a lot of people using 302s to avoid certain browser glitches).
The net effect of this is that there was no POST data sent when the redirect occurred, so refreshing can't cause it to be resent and screw up your application/database.
If you don't like any of the above and are using JQUERY. You could do a simple load or ajax function to send the information to your script.
This will erase any chance of duplicate sending and you no page reload. I like this method best, it's fast and easy.
Another solution you can do is have your form send to another page, a bit like this:
<form action="chat_server.php" method="post">
Message: <input type="text" name="message" />
<input type="submit" />
</form>
On the chat_server.php file, you do what you need to do with the data and at the end, you do
echo '<meta http-equiv="REFRESH" content="0; url=chat.php" />';
Give it a try, should get rid of your problem.
Yes. After inserting data you do a redirect.
use a code in a hidden input and this code getting by a table codes for exmaple and if the code sending remove it from database and if the code not set in the table dont accept the query
I've never really thought about this, but it helps with some security of something I'm currently working on. Is it possible to submit GET data without an actual input field, and instead just getting it from the URL?
If so, how would I go about doing this? It kind of makes sense that it should be possible, but at the same time it makes no sense at all.
Perhaps I've been awake too long and need some rest. But I'd like to finish this project a bit more first, so any help you can offer would be appreciated. Thanks
Yes. If you add some query-string to yourl url, you can obtain that in php using $_GET without form submitting.
Going to this URL adress http://yoururl/test.php?foo=bar cause echoing foo (if there will be no foo query string, you'll get warning).
# test.php
echo $_GET['foo'] # => bar
Is this what you mean?
Link
// page.php
echo $_GET['type']; // foobar
This is what I understand of your question:
You have a <form method="get" action="foo.php">-like tag on your page
You have a series of <input type="text" name="bar"/> in your page
You want to pass additional GET parameters that are not based on an input from the form
If so, it is possible, but I hardly see how it could help with security. Input from a client cannot be trusted, so even if you hardcode the GET value, you have to check it serverside against SQL injection, HTML injection/XSS, and whatnot.
You have two ways:
Use a hidden input: <input type="hidden" name="myHiddenGetValue" value="foobar"/>
Add the GET parameter to the form action: <form method="get" action="foo.php?myHardcodedGetValue=foobar">
If what you meant is that you want to have a GET request without a form, you just need to pass all the GET parameters to the href of a link:
Click here!
Yes it's possible. Just append the GET data to the link.
For example:
<a href="main.htm?testGet=1&pageNo=54>Test</a>
You can also use Javascript to build the url.
If you happen to be using jQuery and want to build the GET data dynamically you can do this:
var getParams = { testGet:1, pageNo:54 };
$(".myLink").attr("href", url + "?" + $.param(getParams));