I have a link on the page that opens a contact form in a modal window.
How can I verify that the user clicked on the link to access the contact form, and did not go to the page directly. I don't want users or bots inadvertently browsing to that page.
Thanks in advance!
You can check for $_SERVER['X_HTTP_REQUESTED_WITH'] header, which will be xmlhttprequest whenever it's an ajax request
You can use the referral url (you can access this url in PHP using $_SERVER["HTTP_REFERER"]) but you can't rely on it. First because it can be changed using a very simple script and second because that field is not always filled.
Another method is to use session to store the last visited page and then check this in your contact page. Anyway this method will also fail if the user see another page before access to the contact form but the page which you want the users start with was already loaded.
You can send a variable with it like
Contact Me
and in the modal test weather it set or not
if(isset($_GET['co'])):
//show the form
else:
//redirect
endif;
or you can use jquery to select that link and sends a variable posted with it like
Contact Me
$('.contact').click(function(){
$.post( 'contact.php', { direct: 'no'},function()
{
//call modal from here
}
);
});
then test if direct = no
if($_POST['direct'] == 'no'):
//show the form
else:
//redirect
endif;
and the jquery solution is more reliable
Sorry I was wrong
Have a form with a hidden field that contains a token, and validate that token with the session on postback.
Related
I'm using Fancybox 2 to display some forms on my website. The form comes through from an external page into an IFrame to let the user post a message, kind of like twitter does. However I want the user to be re-directed after the form has been posted. So they post the form to a database, the Fancybox window shuts down and then they are redirected to the posts page where they see their newly posted message. Is there a way of doing this succesfully?
You can try this:
<script>
if(data == 1){
//window.location.replace("dashboard.php"); //will open the page in the fancybox
parent.$.fancybox.close(); //will close the fancybox
//parent.window.location.replace( your_url_here ); //your redirecting URL here
parent.window.location.href = 'dashboard.php'; //your redirecting URL here
}
</script>
I would recommend you to use a real form rather than a post action. You are not really using form submission otherwise, but just a POST request.
If you do that, you could use the target="_top" inside the <form tag and submit the results using the submit function of jQuery.
I have a sign up form came with 3 pages.
I use jquery $post to post error message back without refresh
2nd php page will check all data. if all data correct than it will send to 3rd page(agreement page). If user click agree in 3rd page, than all data will write into database.
However I have problem to post data to 3rd page in php by using if & else
This is a sign up form. Therefor I can't use $_GET[]
ex. else{header("location:agreement.php?email=somedata&pw=somedata");}
is any way I can pass those data to 3rd page in php?
1st page
<form>
<input type="text" name="email"/>
(some input)...
<input type="button" onclick="get();"/>
</form>
JQUERY
function get(){
$('#error').hide();
$.post('signup.php',{firstname:signup.firstname.value,...},
function(output){$('#error').html(output).fadeIn(50);})
}
2nd page
signup.php
if(will check everything){echo "error";}
//Jquery will output error without refresh the page
else{
[Need to POST all sign up data from 1st page to 3rd page]
header("to agreement.php");
}
3rd page
agreement.php
if user tick agree. All sign up data will insert into database.
Why do you not store the data in the session? Then you can easily retrive it on page 3 without having it to pass to the client, then the server and back to the client again.
When You Add Data Then On First Form Add Data into Table and use record_id in session and on all other Form Pages Just Update That database Record
Store it in session or if you show pages store it in you can also use CURL but it's "hard" way to make it. With curl you can send POST with all variables you want to another page.
Example for sending email to 3rd php
function get(){
var email = $('#email').val();
$('#error').hide();
$.post('signup.php',{firstname:signup.firstname.value,email:email,...},
function(output){$('#error').html(output).fadeIn(50);})
}
signup.php
$email = $_GET['email'];
if(will check everything){echo "error";}
//Jquery will output error without refresh the page
else{
[Need to POST all sign up data from 1st page to 3rd page]
header("to agreement.php?".$email);
agreement.php
$email = $_POST['email'];
if user tick agree. All sign up data will insert into database.
}
I want to show a login popup, kind of overlay handled by JS when user clicks on any button/link which requires user to be logged in.
For Eg: If user tries to comment without signing in, on click of post I have to show this popup.
This is not ajax call where I can just reveal the popup based on the server response.
Is there a way to do this? Maybe by checking the status code or something like that?
The challenge is, when user is logged in the specific action takes user to another page, but when user is not logged in I want to suppress this and instead show login popup in same page.
Careful, even in chrome you can directly edit the javascript just by right clicking on the page > inspect element > resources > javascript, and typing your changes in, bypassing your check. Just to keep in mind that you use it only to increase the user experience, but make sure your php or whichever server side script checks for a valid session.
So assuming you are taking care of that, if you add a class to your buttons/links like so:
Post Comment
<form><input type="submit" class="requires_login" value="Post Comment" /></form>
you could for instance use javascript or jquery:
$(document).ready(function(){
var valid_session='<?php echo (isset($_SESSION['id']) ? 'true':'false'); ?>';
$('.requires_login').on('click',function(event){
if (valid_session=='false'){
event.preventDefault();
alert('open popup instead');
//for instancce, $('#my_popup').show(); if you have:
//<div id="my_popup">You must be logged in first!</div>
}
});
});
Hope that helps!
The easiest way would be to redirect on the page that requires a login, you can do that with $this->response->redirect('auth/login');
If you really insist on a js popup you either have to use AJAX or you could write the following in your view:
<script language="javascript">
var loggedIn = <?= Auth::instance()->logged_in() ? "true" : "false" ?>
</script>
You would have to check on each action if the user is logged in before redirecting.
Also a problem with this approach is that it does not handle session timeouts.
When registration form submits using POST method and when you refresh the same page then it will prompt for resubmit or resend information. How we can prevent this?
Use post-redirect-get. In short:
You can use ajax. You keep the same php code that you put in another file, and you post the data via ajax.
You can use include a one-time random token in the form. The first time that token is submitted (with other data), an action is taken. Future submissions of the same token have no effect (or just show the same confirmation page), and submissions with blank or invalid tokens are rejected.
This also protects against cross-site request forgery.
Try this:
<?php
if (!empty($_POST)){
?>
<script type="text/javascript">
window.location = window.location.href;
</script>
<?php } ?>
I placed it into prevent_resend.php and then included it after the postdata processing was done.
// ... save data from $_POST to DB
include('prevent_resend.php');
// ... do some other stuff
How to check if the user has entered the page by clicking on the button and not from copy pasting the URL ?
For example, if a user has clicked on Register I want him/her to go to that page only by clicking the Register button and not by copy pasting the link.
Also, is it a good practice to give the page name on the address bar or should I have to hide the page. If I am hiding the page will I be able to do that ?
For example, if localhost/projname/register.php. I don't want people to see the register or login or about or anything on the address bar except localhost/projname.
Maybe check if he used $_POST, something like:
<?php
if($_SERVER['REQUEST_METHOD'] == "POST"){
// do ya thing
}
else
{
?>
<form action="index.php" method="post">
are you sure? <input type="submit" value="yes">
</form>
<?php
}
?>
You can use the HTTP_REFERER data of the $_SERVER reserved variable to see where did the user come from.
if(empty($_SERVER['HTTP_REFERER'])) {
// if we are here, the user copy pasted the url.
}
As for your second question, you can't totally "hide the page" like you're suggesting. The web server must know which page to show, so the browser must know has well.
You can however obfuscate the page name. For example you can call the page "sfhjgdjkfg" so the user won't be able to know that this is the "registering" page. But I think it's really a bad idea, why in the first place want you to hide this ?
One method is to use $_SERVER['HTTP_REFERER'] to verify that they clicked a link from your site, but this method isn't fool-proof as many Firewall and Anti-virus suites will remove the Referrer information.
A better method would be to generate a temporary session token on the pages of your site, and check for that token when the Register page is opened.
If your form uses POST parameters, the browser will pass on some POST data. You could then check
if (empty($_POST)) {
//didn't click the button, just went straight to the url
}else{
//did click the button
}