I want to redirect the user to some url in other website, but to send with his redirect some post variable.. is this possible? And if yes, how?
Thanks.
It is not. :(
You can however submit an hidden form using Javascript.
EDIT: shame upon me. It seems it can be achieved w/o Javascript. Try to post some data to a PHP page you write yourself, which basically tells the browser to do a 303 See Other redirect. It shall work, in the sense that the browser should re-POST the data on the redirection target, but someone reports this causes the browser to show a "really repost the data?" message, like the one you see if you refresh a web page you loaded with a POST.
However, even if it works, I think nobody does it.
Related
First of all, this is my first post in Stack Overflow and I'm trying to learn PHP/MySql for a personal project that I'm working on. I think I will be spending alot of time on here to ask heaps of questions, so forgive me if I ask too many questions that you may find trivial.
On with the question.
I'm using a combination of ajax and PHP to process server side scripts. What I want to do is have a PHP module that will accept input, process something, and provide output. Much like a function.
What I'm trying to wrap my head around is how can I make PHP like a black box process module, like a function, rather than a page.
As an example, I have a login.html page which uses AJAX to send request to a login.php page. The login.php accepts the input, process the input, and output a json object which tells the calling page if it is successful, and if not will list the errors that it encountered along the way.
Here lies the issue. I don't want user to be able to go to login.php directly. In fact, I don't even want login.php to be visible to the public. The login.php is only a process, so if you go to it, it will be blank. This doesn't seem like a good practice to let users see a blank page.
I thought about putting the login.php outside the public folder, but this would mean that ajax won't be able to make a request to it either.
To get around this I have the login.html sit within the login.php. It will make a request to itself, then based on the type of request, the php will perform different things. This will resolve the "blank page" issue. But I can't help wonder if there is a way to make a standalone PHP module without having to make it work like a page also.
Any thoughts into this will be much appreciated. Thanks.
If an AJAX can request the page, then any user will be able to navigate to the page with their browser. You really shouldn't be concerned with this, because unless they snoop around they won't happen upon the PHP page. If you want a little bit of verification that the request was made by AJAX you can look for the X-Requested-With header, but this doesn't always work because every browser doesn't send this:
if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
// Ajax Request
} else {
// Not AJAX, redirect to login page
header('Location: login.html');
exit();
}
To make this work reliably on every browser, you'll need to set this header on the clientside:
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
However this is still not fullproof because anyone can send a header with a program like Tamperdata, but this should be good enough to prevent the lazy snoop. Again though, allowing users to see this page (if they snoop) won't be a huge problem. It's not going to create a security vulnerability and on the off chance that a user stumbles upon the login.php page, they'll be redirected back to login.html.
Anything you send an AJAX request to can also be navigated to directly, by the nature of AJAX. All you can do is not provide the user with any indication that that page exists.
You do have the option of having one PHP file call another, via include. That way, you can have the request to login.php change behavior based on the request, but have the login handling actually processed by a file that isn't publicly accessible:
if($_POST) {include '../login-handler.php'; die();}
I am working on a my site to allow users to take test so they can see how much they know of a particular subject. I am running into a little problem though. Once a user submits the test for grading, how do I prevent them from going back to the test page? I am on a Mac with Safari running and when I click the back button in my web browser after I submit the test it leaves all of the answers I answered filled out. I want it do this: When a user submits a test and they click the back button in their web browser it redirects them to the main test page.
I am using PHP and MYSQL. I even have the test pages setup so that the user must come from a certain url (I am using HTTP_REFERER) and I have tried other stuff such as sessions but I cannot seem to figure this out. Any help is greatly appreciated.
You don't stop them.
Instead change your application so that it still works even if they go back. You can embed a unique number in a hidden field on the page and if they resubmit the same test twice you can detect it and display an appropriate error message. You should also think about what should happen if they modify the unique number.
If you don't want people to post different answers once they have already answered, all you have to do is check, in the script that accepts the test for grading, that the user has never submitted the test before. If you don't, a clever student will always be able to to circumvent your protection by sending an appropriate request directly to that script.
If you don't want people to see previous answers (for instance, if you have two people grade their tests on the same computer), consider using AJAX on the test page to submit the answers and then erase them from the fields. This way, most browsers will not remember the answers and the back button will not un-erase data that was erased by JavaScript.
At the top of the grade page, put the following:
session_start();
$_SESSION['testcomplete'] = 'yes';
Then at the top of each page of the test, put this:
session_start()
if ($_SESSION['testcomplete'] == 'yes') {
header("Location:cheater.php");
}
You could simulate there being no page to go back to. From one page, generate each test page using jQuery, and provide no way to go back, only forward. The back button would take them to the page before they ever launched the test, and you could allow them to launch the test again and generate the right part where they should be. This would be pretty easy, if you haven't gone too far in development the current way.
You could run javascript that clears out all the answers. You might also just allow one submission so that subsequent submissions don't get processed. HTTP_REFERER is usually sent, but can be spoofed and forged by an altered browser.
On the top of the script POST-ing the answers, do a check whether you have the test results in the database for the current user for this test. If you do, redirect to results.
if(get_test_results($user)){
$test_url = get_test_url($user);
header( "Location: $test_url" ) ;
}
Disabling the back button is not a good idea.
I was facing a similar problem making an online examination myself
what I did is
I provided a session variable such that if the user pastes the previous page's URL in the address bar then on loading the page the page is automatically forwards to the next desired page. Whether the page whose URL was mentioned is the being visited the first time or being revisited is determined by the value of the session variable
If the user instead of loading the page does a go back via the browser button the it automatically redirects to the next page in history as :
javascript:window.history.forward(1);
Hope this helps :)
http://www.htmlgoodies.com/tutorials/buttons/article.php/3478911/Disabling-the-Back-Button.htm you should be able to do it in javascript.
I need to cause a user's browser to post data using PHP to another site.
Example: You go to start.com/auto-login-hack (via GET)... then PHP sets the right headers etc. and causes the browser to, via POST, go to 3rdparty.com/login.php with login credentials.
I have done this is the past by having an HTML form and an onload script that submits the form to the destination.
I don't know enough about headers and etc. Is this possible? Can anyone link an example? My search skills just turned up how to use $_POST.
Thanks.
Yes, you can submit POST requests from PHP.
One of your choices is to use curl as shown in this SO question.
However, you cannot do redirects.
You cannot redirect to a POST; this is a limitation of HTTP. You'd have to use JavaScript to cause the browser to post a form.
I remember reading somewhere it's a good practice to redirect pages using GET to show the next page after a POST request. Why is it so?
This way, if the user reloads the page, the browser won't send another POST.
For example, if the page is an order confirmation page, you don't want the order to be repeated if the user refreshes the page.
It's because if a user submits a form and is taken to the thankyou page, then refreshes that page, the browser will prompt the user to resubmit the form, thus creating two posts to your data handler. If you redirect to the thankyou page with GET, the post vars are empty so the form won't be resubmitted.
I'm not sure it's still considered good practice - haven't heard anything on the subject for a while.
GET is idempotent while POST isn't. If the user reloads the page (or returns there by clicking the browser's Back button), nothing breaks.
I would assume this is so that the following page is bookmarkable.
If you can't remember why it's good practice then maybe there isn't a good justification for it.
IMHO, it's a case of swings and roundabouts - and certainly easy to argue the converse - whether its good practice or not really depends on how it fits in with the rest of your code.
C.
Does anyone know of a way to prevent the browser from asking the user to resend form information.
I know you can redirect the browser with:
<php
header("location http://example.com");
?>
But this seems so inefficient and takes 2 request.
Hope you can help.
duplicate of: How do I stop the Back and Refresh buttons from resubmitting my form?
Either redirect like your example, or use AJAX to submit the form in the first place. The browser has no way of requesting the same page without requesting the same page.
Not re-submitting the data would be the same as requesting a different page, so you're kinda stuck.
As far as I know, there is nothing you can really do when it comes to that behavior in POST requests. The redirect, perhaps seemingly inefficient, is actually the best way to do it. You're telling the browser that you've done all the work necessary for the post request and now you're going to send it to a page that will never change, no matter how many times you call it, making it easily bookmarkable and reusable.