I'm quite new in this PHP programming and already tried looking my issue at this forum but no success.
I have build a simple webform using PHP and stuck when trying to edit form. My form consist of below
register html form - basicallly user fill in the form and hit submit. the form will then go to register.php
Register.php - all the field store at database and I also display the form using the SESSION (not call from database) in this page.
Here is my problem start. At the dispay(register.php) I want allow user to edit his/her information and submit again(which i think use update query base on ID). But I truly don't know how to do this.
Can someone advice me or give some simple code for this so that I can have clearer view?
you also must strip slashes for avoiding Sql injection
In previous pages you must store the username from textbox of login
Something like this:
session_start();
$_SESSION['username']=$_POST['input of login txtbox'];
you can just get the condition with user cause you have just one unique user 2 users mustn't have the same user name then just store the username of them in $_SESSION
$connection=Mysql_connect('server','user','pass');
if(array_key_exists('sub2',$_POST))
{
if(!$connection)
{
echo 'connection is invalid';
}
else
{
Mysql_select_db('Your DB',$connection);
$pas=$_POST['pass1'];
$username=$_POST['username'];
$pas=mysql_escape_string($pas);
$username=mysql_escape_string($username);
$query="update user set user='$username'and pass=password('$pas') where username='".$_SESSION['username'].";
//some code
}
in your form:
<p><b>User Name:</b><input type="text" name="username" />
<p><b>Password:</b><input type="password" name="pass1" />
<input type="submit" name="sub2" value="update"/>
use this site for secure your code
Related
Hello I have a web page where users can view and edit their application information. I have an Edit button. When a user clicks on this button it takes him to an edit page. Here is my code:
<form name="form3" method="post" action="pages/application_edit.php?id=<?php echo "$id[0]";?>&pwd=<?php echo "$pwd";?>">
<input type="submit" name="Submit" value="Edit Application" class="button">
</form>`
After a click the user sees this URL:`http://website.com/pages/application_edit.php?id=1&password=Flower1
How can I hide the password from the URL?
Instead of sending the values as $_GET values, send them as $_POST values to that PHP page.
<form method="POST" action="pages/application_edit.php"> // no need for the URL query string
In the PHP file
<?php
$user_id = $_POST['id']; // similar to how you'd use $_GET
....
Although the way you're approaching this is wrong, you shouldn't be passing these values between pages. At the very least your username/id should be stored as a session variable and information should be accessed when required from a database.
Either way, that's how you can send them without having them "visible".
It seems you lack session control routines.
You should manage all private options of your application (the ones you are able to perform only - and just only - when you are logged in) inside a session to avoid exposing user credentials.
You can start learning about it here.
Also, consider encrypting your HTTP requests using SSL certificate.
I have built a website that uses HTML, CSS, PHP and MySQL. The purpose of the website is to allow students to build a word bank. The data is sent and stored in a MySQL database via PHP/HTML forms. The information is displayed using HTML/CSS/PHP.
I haven't experienced any problems with the system UNTIL the children have been accessing it in school, using iPads to access/explore the website.
The problem I'm having is simple (and also infuriating!): sometimes the children can't login to the website - every time they press the 'login' form submit button, the form 'refuses' to be submitted (returning them to the same login page, as if it had just been refreshed). The same problem also occurs when they're trying to upload a word to the database - the form submit button 'refuses' to submit the data.
Basically: the submit buttons can be 'clicked', but they don't do what they're supposed to do.
Here's the code that I've written for the login system:
<?php
if($_POST){
if(login( $_POST['user'],$_POST['pass']) ){
echo "<a href=index.php>Continue.</a>";
$_SESSION['user'] = strtolower($_POST['user']);
} else { }
} else {
?>
Please login
<form method="POST">
<input type="text" name="user" value="Username">
<br />
<input type="password" name="pass" value="Password">
<br />
<input type="submit" name="login" value="Login">
</form>
<?php
}
?>
I'm not really sure what the problem could be - I'd guess (and almost hope) that it's a problem with my code (my use of sessions, maybe?) - but if it was, then why does the system work fine sometimes, and then at other times so inconsistently? Is it a problem related to iPads?
I hope I've made myself clear enough for any helpful suggestions.
You should use session_start function to start or resume exist session.
Just append a session_start function at the begin of your code.
<?php
session_start();
if($_POST){
echo "Hello : ".$_SESSION['doc_username'];
//username sent from a different page by post method
$username = $_POST['username'];
echo "<p><strong>Showing Health Information for : </strong>";echo $username; "</p>";
if($_POST['submit'])
{
$height = mysql_real_escape_string($_POST['height']);
$weight = mysql_real_escape_string($_POST['weight']);
if($height && $weight)
{
require "dbc.php";
$query = mysql_query("UPDATE patient_info SET
height='$height',weight='$weight' WHERE username='$username'");
echo "Patient Data Saved!";
}
else
{
echo "All fields are required!";
}
The problem with this code is not in the mysql query. I have already checked it for syntax errors using phpcodechecker and there was none. There were more variables to be inserted into the database but height and weight will do for example. My problem is I am getting the username from a different page by POST method and I cannot save it in a way that it could be used by the "submit" value in this form to enable updating of that particular username. Because the username from the other form which $username cannot be referred to within the $_POST in this page, thus the username variable is blank when I click the submit button. How can I get a username sent from another page to this page by POST to be used in this form in the UPDATE query. The form does send the username to this page successfully which is proven when I can echo the username out. But it cannot be used by the form in this page. Please help as I am very new to PHP codes and I'm trying the best that I can.
On the initial page, add a hidden form element named "username" with the value you want to carry over into the form submission.
<input type="hidden" name="username" id="username" value="the.user.name">
You may store user name in session on request when it passed, or add to getparam of request or in hidden element of form:
<form action="procces.php?username={real_user_name}">
OR
<form>
<input type="hidden" name="username" id="username" value="{real_user_name}"/>
...
</form>
<input type="text" name="username" value="<?php echo $_POST['username']; ?>" />
The username in first page was transferred to another paged where you can edit it
As second page also contains a form so we also need to add username field int as when it will be posted the username will also be sent.
This had to be inserted into the 2nd form to retain the data sent from the previous in the previous page so that it can be used for the query in mysql.
First of all replace the line:
From:
if($_POST['submit'])
to:
if (isset($_POST['submit']))
If you are using a combobox then check that you have provided the name parameter in its markup like:
<select name="submit">
...
</select>
[EDIT]
After analyzing the code it is found that the HTML markup
was written after form element. I think this is the issue. Rest
appears to be Ok.
Hope this will solve the issue.
You may the user name in the session (supposed you have one, if not, you seriously should anyway):
Populating a form field like #tslocum suggested also needs to get the user name from somewhere. This is a quite common solution, but where does the user name come from?
There might be some time between submitting the name and rendering the current page, so as this is stateless but you need a state (State "we have a given username already") within that page during rendering and processing, take a look at $_SESSION global variable.
my approach:
Post 1:
....
$_SESSION['currentUser'] = $_POST['username'];
// you need some checks over here, don't use
// that as typed here, left out just for clearness.
... some time
Post 2:
...
$username = $_SESSION['currentUser'];
// again some checks over here!
read about $_SESSION in the php manuals.
In PHP I want to use a script held in a separate file to process a form and validate it. If there are errors I want the form to display the errors and original values for the user to change.
At the moment the validation script is on the same page as the form and all works ok. However I would like this away from the form and send the form variables to the script using the 'action' in the form.
If I do this though, how can I then go back to the form with error messages and original values — do I simply use $_POST in the script and a header location? or is there a better method.
If the form validates okay I'll then go to a separate page (using a header).
Can anyone help me understand the process/logic I should be trying to achieve and the function s to past variables between the pages ($_GET?)
If you want to track variables across multiple pages, it might be feasible to investigate sessions. You can assign variables from $_GET or $_POST to the session, and they will be accessible across pages.
I think what you are looking for is a framework called Model-View-Controller (MVC). In your case, your form is the "view" and script to process data is "controller" then the controller has the option what to show to the user (view) which is your form with error message or some other page with success message. But MVC is a bit more complex than that. If you want to study MVC, read some articles and choose MVC framework to use like CakePHP, CodeIgniter, Zend framework et cetera.
If you are studying basics of PHP, you might not want to start using a framework, in that case, you can do something like this (login sample):
login.php
<?php
$error = "";
$username = "";
$password = "";
//POST method used. The user is trying to login
if(isset($_POST))
{
$username = $_POST["username"];
$password = $_POST["password"];
//process login here
//check database
if($success == true)
{
header( 'Location: home.php' ) ;
}
else
{
include "login-view.php";
$error = "Either username or password is incorrect.";
}
}
else //GET method used. The user visits the login page
{
include "login-view.php";
}
?>
login-view.php
<p><?php echo $error; ?></p>
<form method="post" action="login.php">
<input type="text" name="username" value="<?php echo $username ?>" />
<input type="password" name="password" />
<input type="submit" value="send" />
</form>
The code above goes like this:
1) The user visit the login page. login.php will detect that the method used is GET -- cliocking a link, opening a bookmark or typing URL to address bar. login.php then will include login-view which contains the form.
2) The user type his username and password and click submit button. login.php will detect that the request is POST, then validate username and password, provide error message if necessary. If valid, then redirect to home page, if not, include login-view.php (form), this time with error message and previously typed username.
Sorry I have posted this question and I googled it alot still Im unable to solve this
I have a php page that has a form and when user clicks refresh or F5 it creates duplicate values in the database and also a message is alerted to the user, indicating resubmitting may insert duplicate values in database.My boss dont want that alert box of the browser to user and also insertion of duplicate values into the database
I know its header(). I read lot of header() in php manual and also server_name functions but still I tried in many ways putting in the top but cant solve it. its very important. can anyone please help me with a sample of code explaining the way to do.any help is greatly appreciated.
<form method="post" action"demo.php">
<input name="fname" type="text">
<input type="submit" value="submit">
</form>
demo.php
<?php
$firstname = $_POST['fname'];
?>
Tell me what should i add in the demo.php page to stop it from submitting the form again and again and also if user clicks back button on the browser it should not direct to the previous page , it should still redirect to current page.
So if user clicks refresh or back button it should redirect to current page only and should not insert any duplicate values and also alert box should be disabled.Please explain me what to do here, im in deep help.Thanks
There's lots of things wrong with your code, and lots of ways to mitigate the impact.
First, why are you creating duplicate entries?
In addition to the problem of bad data is also implies that your site is vulnerable to CSRF. Go read up on how to prevent CSRF with single-use tokens.
If you've got performance problems with your site, then users will often click on the submit button multiple times. While addressing the duplicate submission problem on the database, use javascript to disable the submit links on the page and provide visual feedback that the page is doing something.
Redirects are not the way to solve the problem.
My boss dont want that alert box of the browser
Are you talking about the duplicate post alert? While you can get around this using PRG, that creates other problems.
You must post a unique id (session_id) and save it in the database.
When your registration, test if the session_id is already present. If so, send a message to THE USER. "You have already post out this form"
The code:
<?php session_start; ?>
<form method="post" action"demo.php">
<input name="fname" type="text">
<input type="submit" value="submit">
<input type="hidden" name="session_id" value="<?php echo session_id();?>">
</form>
demo.php
<?php
//test session_id in database
$session_id = session_id();
mysql_connect('localhost','xxx','xxx');
mysql_select_db('xxx');
$return = mysql_query("SELECT COUNT(*) AS nb_data FROM TABLENAME WHERE session_id='".session_id()."'");
$data = mysql_fetch_assoc($return);
if ($data['nb_data'] == 0){
echo 'Your message';
}
else{
$firstname = $_POST['fname'];
//.....
header('location:xxx.php')?
}
?>
I would use php header function to replace the current location so if the user clicks refresh, it won't repost the information and a session to store the posted value and check for resubmissions.
demo.php
<?php
session_start();
if($_POST)
{
if(!isset($_SESSION[fname]))
{
//database queries here
}
$_SESSION[fname] = $_POST['fname'];
header('location:demo.php', true); //true replaces the current location
}elseif(!issset($_SESSION[fname])){
header('location:form.php');
}
$firstname = $_SESSION[fname];
?>
form.php
<form method="post" action"demo.php">
<input name="fname" type="text">
<input type="submit" value="submit">
</form>
You need ON DUPLICATE KEY , this will update the record instead of creating a copy of it :
http://dev.mysql.com/doc/refman/5.0/en/insert-on-duplicate.html
so it wouldn't matter if they hit refresh or resubmit, if the record existed already it would just get updated.
The solution will be to redirect the page after database operations like insert, update and delete
pageName: test.php
if(isset($_REQUEST['deleteBtn']))
{
$emp_id=$_REQUEST['emp_id'];
$count=mysql_query("delete from employees where emp_id=$emp_id");
header("location:test.php");
}
This way if you click F5 or back button the form data will not get posted again.
What you want is to embed a session id in your form when you create it, and to track that session id on the server. Then, when the form is submitted and you are processing the form on the server, if the form was submitted more than once, you can overwrite the first submission in your database, or respond with an error message, or whatever. (Show the popup only on the first submission, whatever.)
An easy way to do this is to generate a session id, send it as a hidden field in the form, and when the form is submitted store the session id in your database with the constraint that the session id be unique.