The info that I found hasn't worked for me or I simply don't understand what I'm reading.
A POST request is being made to a specific location (URL) and a response will be sent back to a URL that I must specify, existing on my domain. (eg www.mysite.org/answers/answer.php)
What do I need to do in order to extract every piece of information that is being sent to that location?
Right now I am redirecting from the form page after the form (having been submitted via POST) has been submitted by a user to the answer.php which checks if isset($_POST["submit"]) but it's not giving me anything.
Furthermore, if I had many users doing requests what URL would I use so that each user is redirected to their own answer page?
You need some kind of storage mechanism (session, database, etc) and a token (session id, primary key, etc).
Generate a token on your website when the user submits the data (for example, use session id).
Submit this token to the other website along with the submitted data.
Send the user to a waiting page (see below).
The other website will (hopefully) echo back the token to your answer script along with response data.
In your answer script, save the response in the storage using the token (for example, use session_id(token) function to load the user session, then set session variables).
In the waiting page, continuously poll the storage to see if the response has arrived. You could use a meta refresh tag that refreshes the page every 10 seconds.
"submit" is probably the name of the submit button? This value is only present in the request if the form is indeed submitted through the button. You could have multiple buttons, in case only the name of the clicked button is present in the post data.
Furthermore, if the user submits by just pressing enter when the last input field is selected, the form is also submitted, but no button was pressed. In this case, the name of the submit button isn't available at all in $_POST (nor $_REQUEST).
Long story short: don't check for the name of the button. Just check for available field data.
If you want you can loop through the post data:
foreach ($_POST as $postkey => $postdata)
{
// $postkey contains the key
// $postdata contains the value
// any code here is repeated for every posted value.
}
Or, as long as you're just testing:
var_dump($_POST);
instead of Post use $_REQUEST, it will work for both Post and Get
On your html form add something like this.
<form action="answer.php" method="post">
<input type="hidden" name="submitted" value="true" />
Then in answer.php
<?php
if (isset($_POST['submitted'])) {
print_r($_POST);
}
?>
Related
Suppose we have a form where we allow user to submit some text or so.... Then the form is submitted which passes the value to another page where we show result based on the input submitted in previous page. Now we know both url so we may try to access them directly but first one is ok no problem, when going to acess second page it will not have the parameters or says the value to give result ?????? so i want to prevent user getting direct access to this page without filling the form and submitting same from first page.
Eg submit a form with text box name and next page we display details of that name from database. url may looks like for second page www.domain.com/page2.php?name=somename
Any Idea?
*we already checked user to login when try accessing the first page
Try this...
if(!isset($_GET)){
header('Location: http://www.backtoyourotherpage.php/');
}
But I would use POST on your form, so that the url isn't printed in the fashion that you showed....with all the words in it
then it will become ...
if(!isset($_POST)){
header('Location: http://www.backtoyourotherpage.php/');
}
This variable have the URL that calls the page..
$_SERVER['HTTP_REFERER']
You can check if there are data passed by $_POST or $_GET but the best method is generate an aleatory string (or token), save it in the $_SESSION variable and send it in the form, then compare twice, if them match continue the execution...
There are two ways you can test how the second page is being accessed:
The simplest one is that you will always check if you're getting the required POST parameters you're looking for in your second page. You can do that by checking that the required form values exist in appropriate fields in $_POST
You can also check for the page referer, and only allow access to page B if the user is coming from page A (however, do note that the page referer can be spoofed by clients). Here's an SO question describing how to obtain the referer in a PHP page
Use the following code at the starting of your 2nd php file. This will check if the url is requested as POST or not. Assuming you have the method POST in your form. This will prevent users from directly accessing via URLs.
<?php
if(!isset($_POST)){
header("location:someotherpage.php");
}
?>
This, however does not work when the user sends POST requests from any other place.
It's also good to check for individual form fields, and redirect.
I'm working on something that allows users to edit a form they've submitted and I have two questions.
Say I'm on page viewform.php and the page to edit the form is editform.php. Is it safe to pass the form's ID through the url and use then use GET. I'll verify the person trying to access it on editform.php is the person who created it using a session ID tied to the username , set upon logging in.
If 1 isn't a safe method, how can I POST that data (using a submit button I suppose) from viewform.php to editform.php?
If I understand your question correct, what you are looking for is how to persist data across requests using forms? Because then you can have a submit URL specified in the action attribute in the form, and you can access the values of the form from that URL through the Request Object. And for submitting your data to the same page, you can use $_SERVER['PHP_SELF'] which carries a reference to the page you are on. So, to answer your question, your viewform.php will have:
<form action="editform.php">
<input type="text" name="inputvariable" />
<input type="submit" value="Go" />
</form>
And in editform.php, you can access inputvariable's value by accessing $_REQUEST['inputvariable']
Hope this helps.
Sure, $_GET is safe as long as there isn't any sensitive data transferred. An ID is what is commonly used
Why not set the method of the submitting form to 'POST'. Using 'GET' could lead to someone modifying the URL of the page and inserting data that could have some undesired effects on your website.
If using POST, when receiving the data, set your variables as such
$var1 = $_POST['variable1'];
You can save the Id in the $_SESSION array then match the id you got from the url with the id you saved in the $_SESSION.If they does not match you can show an error message.This will prevent your site from behaving undesired way if anyone changes the url.
I have a form, which has a "token" field that is unique for each page:
<form ...>
...
<input type="hidden" name="token" value="325324" />
</form>
This unique token gets stored in the database every time is generated.
When the form gets submitted, the controller that handles the processing will check the database to see if the submitted token field value exists in the database and do its stuff it it is.
After the stuff is done, the controller redirects to the same page, but adding a query argument to the url ?updated=1".
The page will display a message notifying the user who submitted the form, that his changes were updated, if that "updated" query argument exists.
So every thing is fine, except that if I refresh the page with the ?updated=1" argument, I get to see the same message, which doesn't really reflect the reality, because the form is not submitted :)
I know this is not that important, because it's not a security issue, but still I'd want to get around it. I found a solution by creating another token, let's call it token2 that I pass to the URL when redirecting as query argument. Then, when the page checks for that updated argument, it will also check if token2 exists in the database. If it does, it will delete it, then display the message. So any further requests that have the same token2 argument in the URL will not trigger the message.
But I don't like the idea of storing two tokens in the database on each page. Can I somehow use the first token to detect if I should show the message or not?
Not sure if it matters, but these one-time-tokens expire after one hour, and all expired tokens get automatically deleted from the db twice a day.
Consider adding another field to this table (DB), named "submitted".
1.User gets to the form (token is generated)
2.Inserting (token , submitted) values ('blabla' , '0')
3.the user submit the form
4.the controller that handles the processing will check the database to see if the
submitted token field value exists in the database and
update the value of submitted to 1.
5.the controller also reload the page with ?update=1 , then you'll have a condition:
if submitted == 1 : update submitted = 0
So , if the user now reload the page (notice that now submitted = 0) you'll show the form and not the message.
Using the DB for these tokens is fine, but I think you may be much better off using the session for this kind of data, especially because it's transient. It could also simplify your code a bit.
As for your specific problem, people seem to forget that you can in fact execute code after you emit the view. Your logic would be something like this:
if ($_SESSION['updated']) {
$view->addUpdatedMessage();
}
$_SESSION['updated'] = false;
I am using 9 checkboxes to get input from user and using POST method to get the data. The problem is that when I try to reload that page, the browser shows me this message-
"To display this page, Firefox must send information that will repeat any action (such as a search or order confirmation) that was performed earlier."
with 2 options, RESEND CANCEL. Please tell me what should I do. Can't use GET as it displays my whole search query.
If you are perform some search to get information, I recommend to just use GET. POST-REDIRECT-GET will also display your search query.
If you use post, the browser will confirm that you really want to do a post once more.
Use GET to get data, use POST to operate the data, in my personal opinion.
Quick and dirty: Store all the values of the check boxes in a $_Session[] array and check for that first.
if($_SESSION["CheckBox1"] === "on")
{
// Do Stuff
}
else
{
// Get $_POST[] Data and do stuff
$_SESSION["CheckBox1"] = $_POST["CheckBox1"];
...
}
When the user submits the Form you first check if the $_SESSION has data otherwise put data in it and go about your normal work. If a reload happens then the $_SESSION values are used and not the now empty $_POST array.
After posting the data, Redirect to the current page. That will cancel out the resend/cancel issue.
If your website is User-Profile based, you can have a look at the users data and return selected checked boxes.
OR
You can set a cookie value, via javascript [on checkbox click] or backend [when posting], this way you can store checked checkboxes and return it clicked on reload.
This only happen when you try to REFRESH page after POST Request.
Bowser asks you what should it do: resend POST data or simply refresh page without POSTING (send GET only).
The same behaviour on Chrome. Opera doesn't asks, just resend previously sent POST data by default.
Changed the method request type from POST to GET in my search form and got rid of the confirmation box..
I have a form on my page, and I want to send the user to the 'private' part of the page when they've submitted the form.
I want to achieve this by using sessions, but I can't find out how to set a session variable when the form is submitted. This is because the form action is an external page, and when it has been submitted it gets sent back to the page where the form is. The problem is however that I cannot catch that with HTTP_REFERER because it's an https page.
So i have no idea how to do this. Anybody? Thx!
A couple ways I can think of doing this:
Send the form to a local page that sets the session variable and then fopen()'s the remote page. Here's a post describing how to send POST data with PHP streams.
Use AJAX and the onbeforesubmit JavaScript hook. Basically, when the user clicks submit, cancel the form submission, send your AJAX request to your own server, then when it returns, submit the form. Make sure to disable the form submit button when you do this, as it could take some time for the round trip to your server.