Posting data using 'header(location: )' in php - php

i've just made a sign script for my website. The form posts the data to itself and then checks to see if all the data is correct. if so it then loads a payment page. To load this payment page i use:
header(location: payment.php);
So i want to send data over to the page that im loading, i though i could use:
$userid = mysql_insert_id();
to get the last id added to the database but its not working, maybe im using it wrong though. Anyway, i know what in my database the email address on every record with be unique as well as the id, so i thought maybe i'd change the header to:
header(location: payment.php?email=$email);
This way it would put the email address into the URL and i'd be able to find the user again on the next page by using:
$email = $_GET['email'];
Now this works fine and from that i can get the users details from the database. However i thought that putting someones email address into the URL wasn't best practice but i can't for the life of me think of another way around it.
Any suggestions or good ways of doing this?
Thanks for the time.

Use persistent data to be associated with client
Use $_SESSION to associate data with the current client, don't forget to call session_start (); before you actually append data to the array.
Note: This will require the use of cookies in the client
Include functionality into one file
Though if the only purpose of the page where the data is posted is to validate data, do that and then you could include ("payment.php");, no redirects required.
Or put the functionality of the form-landing page in payment.php instead.
Use a GET-parameter sent to payment.php
You could also redirect to payment.php?id=<val> where <val> is the id of the transaction, though you should not expose the real id since this will decrease security.
Unless you check to see so that a user can only access ids who actually belongs to them.
A hash of the payment info can be used instead since this value will not easily, or at all, be guessed.

I think you should go back and check why mysql_insert_id() isn't working. That'll be the best way to get the data across.

Just start a session before doing anything in the two pages.
<?php session_start()
and on the verification page do something like
$_SESSION['email'] = $email;
and finally on the payment page you can get the email then via
$email = $_SESSION['email'];

Once you update your payment, create/ get your GUID or your unique id from your DB, and redirect to your success page with your guid or unique id, exposing this id will not harm anyway.

Related

Avoiding or alternative to use $_GET

I am currently using to process results via $_GET variable from querystring (URL) http://example.com?id=c02df and to update etc, as you know user can see what id being sent to the next page via url (from above example id is c02df) and can change the id from the URL himself. Kindly let me know is there any alternative way to exchange the ids between pages to process the functionality accordingly which user can't see or mess with?
The best solution would be to use $_SESSION, if you don't want to allow users to tamper with the request.
If you provide more info on your code, I can provide more info on the solution.
EDIT: Here's a "workaround" for using both $_SESSION and $_GET (still without seeing your code at all):
You set $_SESSION['allowed_gets'][] = 'c02df';
Then, when the user is making the request, you check whether they are allowed to do that request:
if (!in_array($_GET['id'], $_SESSION['allowed_gets'])){ die(); }
If you have content users shouldn't be able to see, you should have a login system.
If you just want unguessable URLs, avoid sequential IDs for the $_GET parameter. You could, for example, generate a salted MD5/SHA1 hash of the ID, store it in the database alongside the ID, and use that in the URL.

Why does storing session data in my php script mess with my Ajax script?

right i have a form, it uses ajax to check the if all fields have been filled in and if not say which ones haven't without reloading the page. If all the fields have values it tghen redirects the user to a payment page.
This worked fine, but i want to save some data a session so i can retrieve the users information from the database on the payment page and send it off to moneybookers for payment.
Anyways, when i use this like of code:
$_SESSION['email'] = $result->email;
(The email address is held in an object) It seems to break my Ajax, it doesn't seem to return any validation or redirect if the form is filled out.
Does anyone know why this is happening? Maybe PHP sessions conflict with Ajax somehow.... maybe....? I'm not an expert with Javascript so i really don't know what to look for.
Thanks for the time.
var_dump($result->email); to make sure it contains whatever value you are expecting it to be.
For debugging AJAX, you can use Chrome's built in console's
Did you initialize a session with session_start() in your script?
<?php
session_start();
$_SESSION['email'] = $result->email;

pass the php variable from one page to other page

Well, I just started to work on server side scripting , I chose PHP, So let me explain where Im getting troubled.
This is very a quite simple questions.See, I have some links like these on my page1.php
profile
photos
Now when user jumps to page2.php or page3.php, I also want to pass the user unique ID to the corresponding page, say his email.so that i can update the page2.php according to the username.
When I googled, I heard lots of contradictions , some people were explaining to use session_start() and some people explains cookies and some people says POST and GETmethods. Some people said its easy to hack when you use GET or POST method and some people answered Cookies are client side and it disconnects from server and after hearing all those I decided to use session_start()
But as im a newbee I dont know what to chose,which is the best way.Could anyone kindly explain me which is the best solution to use and why? and also please provide some sample example so that i can understand it much better.Any help is greatly appreciated.Thanks
In order of preference as a solution for the problem you have presented in your question.
Sessions
As this is details of the current user the easiest way to complete this is to use PHPs sessions. This will allow you to access the details in a super global array called $_SESSION DOCs from any page that calls the session_start() DOCs function. This should appear before any output is sent to the browser so it is usually put at the very top of the PHP script.
Each user has their own session on the server and session_start() automagically provides your script with the right data for the current user.
page1.php
session_start();
$users_email_address = 'example#example.org'; // source from DB or whatever
$_SESSION['email_address'] = $users_email_address;
page2.php and/or page3.php
session_start();
echo $_SESSION['email_address'];
Please see the manual documentation for session_start() for more examples.
Use HTTP GET parameters
This works best for URLs that you may want to share - so search results pages or perhaps pagination.
Passing user details in this manner is not ideal as the user can easily change the URL in the browsers address bar. So they could change their email address to someone elses and fool your script.
Using cookies
Storing user data in cookies is not a brilliant idea as a user is able to edit cookies as they are stored on their machine.
Also cookies have a size limit of 4KB and get sent with every request header to the server - thus slowing your site down.
Using HTTP POST parameters
This the very least recommended method for doing this. POST is intended for receiving data to save it on the server and not for navigation. If the user were to press back on page3.php then they would be shown a "do you want to resumbit this form" message by their browser. Pretty unintuitive for a user who thought that they had just clicked a link and not submitted a form.
Best practice is to use session variables ( such as $_SESSION['variable_name']; ).
If you involve form submission, use POST method.
If you only get simple information by setting up parameters, use GET method.
You can use either of those.
Session
This is the best as the email address is stored in the server side. There is no way someone can get hold of the value and try to do bad things with it.
GET
Although this achives what you want by appending to the URL like page2.php?email=someone#example.com, it's easily readable in the browser address bar. It's like you don't store this value anywhere, just pass it between pages.
POST
This is similar to GET but that the parameter gets passed under the hoods. The user can still find this out if he uses plugins to his browser. Like GET, here also the value isn't really stored anywhere. To do a POST, however, you'll need to have a form on your page. Think of it like a form where you ask the user to input his email address.
<form action="page2.php" method="post">
<input type="text" name="email"/>
</form>
In the above example, you can read the value of email in page2.php by doing $_POST["email"].
Note that if you change the method to get, it becomes same as a GET request.
<form action="page2.php" method="get">
<input type="text" name="email"/>
</form>
Here, you can read the value of email in page2.php by doing $_GET["email"].
COOKIES
This works by storing a value on the user's browser. The least recommended of all approaches as the user need not have his cookies feature turned on by default.
Just complementing the answer of Treffynnon:
actually page2.php should be page1.php
Manual about session:
http://www.php.net/manual/pt_BR/function.session-start.php
session_start() must come before all html code or echo in php. In other words: before everything that generate html's code.
sessions are the best choice .Because sessions were one solution invented to over come the
STATELESS nature of the web pages .
sessions are very simple to understand and use . each user will be having an session .
When the user id is set you want to add it to a session. A session is basically a variable that is available over all your pages.
When you set your sessions you want to have session_start(); at the very top of your page. It needs to be before the <html> tag.
Set your session like so $_SESSION['user_id'] = 1;
You can then recall the value of the session on any page like this echo 'User id: ' . $_SESSION['user_id'];
This will output: User id: 1
There's a lot of info in the manual - http://www.php.net/manual/en/book.session.php

Session questions

I am having trouble in understanding of how I need to do this:
Have list of items on my home page and when users click on that, I take them to a page where i ask for name and email id(both are optional fields) and when users hit submit, I will take them to other page where they get to see all the details. the reason for that name and emails fields are to store the ip address in mysql and also the url(has the item id and date) they are on.
To do this, i am having trouble in doing it in program.
I am thinking to start a session/store cookie once they hit submit. after that I want to store the ip address, item id, date and name/email(if they filled in) in mysql db
Store everything in the mysql db
Also, how can I avoid anyone going to the page directly(the one I show after they submit) ? Is there any way can I include some condition on that page and redirect them to this log in page ?
Please help me out.
regards
Since you set session variables when the user hits the submit buttons, you can test if one of those variables is set or not and redirect accordingly.
You can also do it with POST, use the page as an action to your form, and whenever someone accesses that page you test if $_POST variables (from the form) are set or not.
As the data seem to be necessary only for the immediate use, I think that a session is the right answer in this case.
If you would then use a database query, which data would you store to associate the data to the correct user? As you said, both the data you ask are optional; even in the case there would not be optional, how do you handle the case two different users report the same name and email (it could also be the same user using two different browsers).
For temporary data like that, the session is always the better choice (except few exceptions, maybe).
I was forgetting the other question.
Also in that case, I would use a session variable. Sessions variables are the solution for values that you want to keep between different forms, without the need to keep moving them between the server, and the client side.
For more information about sessions, see PHP: Sessions

How do you recommend I pass data from one form to another, and finally to another final page?

I'm taking a class in PHP and I'm a real newbie when it comes to best practices and whatnot.
I have a little homework that the teachers wants me to hand in.
Create a form that asks a user for his name, last name, age and birthday.
When the users clicks submit, take him to the second form and ask for his location, nationality and religion.
Finally when he submits that, take him to a 'thank you' page showing all the written information he input previously.
I'm thinking about using GET to pass things along, but I've only done this with one form to another, not multiple 'hops'. Would this work?
What other way do you think I should do this? I'm not sure if this should be community wiki because I'm sure there's a perfect answer, but please let me know and I'll change it.
Thank you SO. :)
You need sessions. Sessions store an ID on the computer, (sometimes in a cookie) that references information on the server. You just create a session, and then you can put whatever data you want in it. Just grab that data on another page whenever you want.
page 1
session_start(); // start session
$_SESSION['name'] = 'Jimmy'; // put something into the session
And on the next page...
echo $_SESSION['name']; // echos "Jimmy"
session_destroy(); // don't want the session anymore
More info at http://w3schools.com/php/php_sessions.asp
Use session.. Make sure you clear it when you are done saving the data.
when rendering the second form you could include all the fields from the previous form as hidden fields.

Categories