I'm working on something that allows users to edit a form they've submitted and I have two questions.
Say I'm on page viewform.php and the page to edit the form is editform.php. Is it safe to pass the form's ID through the url and use then use GET. I'll verify the person trying to access it on editform.php is the person who created it using a session ID tied to the username , set upon logging in.
If 1 isn't a safe method, how can I POST that data (using a submit button I suppose) from viewform.php to editform.php?
If I understand your question correct, what you are looking for is how to persist data across requests using forms? Because then you can have a submit URL specified in the action attribute in the form, and you can access the values of the form from that URL through the Request Object. And for submitting your data to the same page, you can use $_SERVER['PHP_SELF'] which carries a reference to the page you are on. So, to answer your question, your viewform.php will have:
<form action="editform.php">
<input type="text" name="inputvariable" />
<input type="submit" value="Go" />
</form>
And in editform.php, you can access inputvariable's value by accessing $_REQUEST['inputvariable']
Hope this helps.
Sure, $_GET is safe as long as there isn't any sensitive data transferred. An ID is what is commonly used
Why not set the method of the submitting form to 'POST'. Using 'GET' could lead to someone modifying the URL of the page and inserting data that could have some undesired effects on your website.
If using POST, when receiving the data, set your variables as such
$var1 = $_POST['variable1'];
You can save the Id in the $_SESSION array then match the id you got from the url with the id you saved in the $_SESSION.If they does not match you can show an error message.This will prevent your site from behaving undesired way if anyone changes the url.
Related
Suppose we have a form where we allow user to submit some text or so.... Then the form is submitted which passes the value to another page where we show result based on the input submitted in previous page. Now we know both url so we may try to access them directly but first one is ok no problem, when going to acess second page it will not have the parameters or says the value to give result ?????? so i want to prevent user getting direct access to this page without filling the form and submitting same from first page.
Eg submit a form with text box name and next page we display details of that name from database. url may looks like for second page www.domain.com/page2.php?name=somename
Any Idea?
*we already checked user to login when try accessing the first page
Try this...
if(!isset($_GET)){
header('Location: http://www.backtoyourotherpage.php/');
}
But I would use POST on your form, so that the url isn't printed in the fashion that you showed....with all the words in it
then it will become ...
if(!isset($_POST)){
header('Location: http://www.backtoyourotherpage.php/');
}
This variable have the URL that calls the page..
$_SERVER['HTTP_REFERER']
You can check if there are data passed by $_POST or $_GET but the best method is generate an aleatory string (or token), save it in the $_SESSION variable and send it in the form, then compare twice, if them match continue the execution...
There are two ways you can test how the second page is being accessed:
The simplest one is that you will always check if you're getting the required POST parameters you're looking for in your second page. You can do that by checking that the required form values exist in appropriate fields in $_POST
You can also check for the page referer, and only allow access to page B if the user is coming from page A (however, do note that the page referer can be spoofed by clients). Here's an SO question describing how to obtain the referer in a PHP page
Use the following code at the starting of your 2nd php file. This will check if the url is requested as POST or not. Assuming you have the method POST in your form. This will prevent users from directly accessing via URLs.
<?php
if(!isset($_POST)){
header("location:someotherpage.php");
}
?>
This, however does not work when the user sends POST requests from any other place.
It's also good to check for individual form fields, and redirect.
The info that I found hasn't worked for me or I simply don't understand what I'm reading.
A POST request is being made to a specific location (URL) and a response will be sent back to a URL that I must specify, existing on my domain. (eg www.mysite.org/answers/answer.php)
What do I need to do in order to extract every piece of information that is being sent to that location?
Right now I am redirecting from the form page after the form (having been submitted via POST) has been submitted by a user to the answer.php which checks if isset($_POST["submit"]) but it's not giving me anything.
Furthermore, if I had many users doing requests what URL would I use so that each user is redirected to their own answer page?
You need some kind of storage mechanism (session, database, etc) and a token (session id, primary key, etc).
Generate a token on your website when the user submits the data (for example, use session id).
Submit this token to the other website along with the submitted data.
Send the user to a waiting page (see below).
The other website will (hopefully) echo back the token to your answer script along with response data.
In your answer script, save the response in the storage using the token (for example, use session_id(token) function to load the user session, then set session variables).
In the waiting page, continuously poll the storage to see if the response has arrived. You could use a meta refresh tag that refreshes the page every 10 seconds.
"submit" is probably the name of the submit button? This value is only present in the request if the form is indeed submitted through the button. You could have multiple buttons, in case only the name of the clicked button is present in the post data.
Furthermore, if the user submits by just pressing enter when the last input field is selected, the form is also submitted, but no button was pressed. In this case, the name of the submit button isn't available at all in $_POST (nor $_REQUEST).
Long story short: don't check for the name of the button. Just check for available field data.
If you want you can loop through the post data:
foreach ($_POST as $postkey => $postdata)
{
// $postkey contains the key
// $postdata contains the value
// any code here is repeated for every posted value.
}
Or, as long as you're just testing:
var_dump($_POST);
instead of Post use $_REQUEST, it will work for both Post and Get
On your html form add something like this.
<form action="answer.php" method="post">
<input type="hidden" name="submitted" value="true" />
Then in answer.php
<?php
if (isset($_POST['submitted'])) {
print_r($_POST);
}
?>
I'm trying to figure out the best practice, as well as safest, way to store a variable with javascript for a web app I'm developing.
I have pages that are generated using php, $_GET and mod_rewrite. They are generated from the id that's given through the url. For example: http://example.com/1125/ (because of mod_rewrite what's actually happening is: http://example.com?id=1125). The php takes $_GET['id'] and retrieves information from the database in accordance the id given, etc... you get the gist.
The problem I'm having is, I have a form on that page where a user can post a question, which is sent via ajax. And I don't know the best way to store the page's id ($_GET['id']).
Right now, I have the id stored in a hidden input within the form (for example: " />). And when the form is submitted to the server and php takes a look a $_POST, it contains ["id"] => 1125. That's how I'm sending the page's id when a question is submitted via the form in the page.
The reason I think that's not secure is, anyone can edit the html (for example through Chrome's inspect element) and change the hidden input's (id) value to any other id.
So my question is, what's the safest way I can store that id with javascript, so when that question form is submitted, It can safely send the correct id to the server? Or any other suggestions thought out with best practice methods?
You only just need to validate the id in the php page that receives the ajax, if the id is valid and the user has permission to use it, then it's ok and it doesn't matter if he changed it through chrome or whatever, but you need to validate because if he changed it for the id that belongs to other user then you have to detect that and error out in that case.
This is just a matter of validate your input according to the priveleges in your application.
What is the best way to go back to a page where a form was submitted?
For example, if i send some data via POST to "save-data.php" and that file in turn uploads the posted data to a database how can i then return to the page that initially sent the POST data if the url is not known?
I'm not sure I have explained right.
MORE DETAIL:
the data is posted by an admin user only. Im using this code for an editable navigation bar stored in a database. The admin can edit the label and href then store it. The trouble is that it can be edited from any page in the site so long as you are logged in as an admin. When you hit a save button (on the same page as the navigation bar) it posts the data to a php script which inserts/updates the database. I just need to send the user back to the page where save was clicked.
If this is dynamic, you could pass a hidden input value:
<input type="hidden" name="return" value="myfile.php" />
Not a fan of this as it can be changed by the user. But I do stuff like that in my applications a lot but its more like this:
<input type="hidden" name="return_action" value="detailview" />
Then do a lot of stuff to validate the action and then permissions involved (larger conversation than this.)
If this is a static return and you control it, you can simply do this:
header('Location: myfile.php');
exit();
Just add that after your save and your fine.
Edit
Sorry just noticed if the URL is not known. Do you control all parts? Which parts do you control and to what level? I am assuming your not just letting everyone post data to a URL?
You can do it with JavaScript:
window.onload = history.go(-1);
It's impossible to do in PHP. You need to know the referring URL to send someone there. $_SERVER['HTTP_REFERER'] may contain the referrer, but it's not guaranteed to be sent (some firewalls and browsers removes the referer header).
I have a main form with a lot of inputs. The forms action is set to a php file.
After submitted the php-page shows up with all the inputs that the user typed into the form. The user has to re-check everything and hit an 'approve' button!
The problem is, I don't know how to do this...
I want to eventually put all data into a MySQL database, but only after hitting approve, not submitting the form!
Is there a way to 'recall' the php script after clicking the button 'approve'?
How is this done? I mean, I don't want to write information to the MySQL database, and then the user regrets and DOESN'T hit 'approve' and then the data is already in the database.
Thanks!
Just let me know if you need more input (I will then update the question)
One way to accomplish this is rewrite every value that was just submitted into the approval form in the form of html hidden inputs. Like this:
<form name="approval" method="post>
<input type="hidden" name="firstname" value="<?php echo htmlspecialchars($_REQUEST['firstname']); ?>" />
<input type="hidden" name="lastname" value="<?php echo htmlspecialchars($_REQUEST['lastname']); ?>" />
...
<input type="submit" value="Approve!" />
</form>
Others have suggested storing the values in the users session. If you choose to go that route, be careful about user's who like to work with multiple browser windows open at the same time. Their different forms will share the same session and depending on what order they choose to submit forms in, you could end up with some crossed wires if your code is too naive. One way around this is to generate a unique key for each form and pass it around from page to page. This of course gets messy which is why I prefer the hidden form field approach.
Another pitfall related to the session approach is the PHP's default session implementation uses the local filesystem to store session data. This breaks down when you have redundant web servers. You can, of course swap the default file based session implementation for something more sophisticated (based on memcached perhaps). But again, this is just more complexity. Why not avoid the complexity and stick with hidden form fields?
You can store the information in one of two ways: using the session or as hidden form inputs.
Using a Session It would make a lot of sense to use the session in this case. So, when the first form is submitted, start a session with the user and save all the values in it. Then, the confirmation page simply shows the data. When the user hits "approve", this triggers your script to store the information that is already in the session. This is a well-known method for persisting information between requests.
Using a Hidden Form As you write out your "approve" page, you could also write hidden form inputs along with your displayed confirmation data. Adding a new field to indicate that the user has approved this data, your script will only write to the database when it sees this confirmation value.
Without knowing much more about your application, I'd prefer using sessions in this case.
You could store all the information in a session first. Then make your calculations, and have the user approve the information. Write them from the session into the database.