Is it possible to tell the browser that he should not remember the action scripts page?
So when you delete a headline for example. The get action will be ?d=ID where ID is the id of the headline. After removing the headline go to the page without the get variable in the url (the header part).
<?php
if(isset($_GET['d']) && preg_match('{^[0-9]{1,3}$}',$_GET['d'])){
$hid = $_GET['d'];
$deletesql = "DELETE FROM headlines WHERE hid = $hid";
mysql_query($deletesql);
header('Location: panel.php');} ?>
But now you browser history shows the link panel.php?d=23
Can prevent the browser from remembering the page? Maybe a 303 header?
You should use POST instead of GET for this. That way the browser will prompt the user if he wants to send the information again. (typically the id argument)
Make the ID hidden in the form and then get it in the form action part using $_POST and then do the delete action and redirect once delete is successful to avoid user from re posting the form.
Related
I have this kind of a problem I can't get over with. So I have a page where you can update the information for a specific user in mySQL database, so the URL would be like this:
...updateemployee.php?userid=4
where the userid is the unique id of an each row from the database. And then I have a button on the same page that opens up a modal where I have an input that updates the password for that specific user which uses another .php file (changeemployeepwd.php) to do this. Everything works perfectly fine however let's say the input is empty meaning that I want to redirect the user back to this page: ...updateemployee.php?userid=4 and add a parameter in the URL that would open up a SweetAlert window saying that the input is empty, therefore the password can't be updated, so for this I wrote this code in (changeemployeepwd.php):
if (empty($_POST['newpwd'])) {
header('location: updateemployee.php?userid='.$userid.'?empty');
exit;
}
So when the (changeemployeepwd.php) will redirect the user back to ...updateemployee.php?userid=4 the full URL would be this: ...updateemployee.php?userid=4?empty
By the way I have the update password redirect done the same way:
If ...
header("location: updateemployee.php?userid=".$userid."?updated");
Okay now the problem is that if the URL stays as ...updateemployee.php?userid=4?empty and this time I put some value in the input it goes again to (changeemployeepwd.php) and as intended it should change the password but instead it just adds ?updated to the URL and doesn't change the password. so the whole link looks like this afterwards:
...updateemployee.php?userid=4?empty?updated
I thought that the problem was in this part:
".$userid."
Therefore, I tried to use either:
header('Location:' . $_SERVER['HTTP_REFERER'] . '?empty');
or:
header('location:javascript://history.go(-1)' . '?empty');
But none of them are working and I'm not sure what else to use here so if you have any ideas or solutions it would be greatly appreciated. Thanks in advance.
EDIT
In updateemployee.php I've done the form action like this:
<form action="changeemployeepwd.php?userid=<?php echo $_GET['userid'] ?>" method="post">
I have links that add a row to the database and then redirect to another page. In that page I want to show a message of success if it came from the insert page however the HTTP_REFERER doesn't acknowledge that page as the referer and instead shows the previous page.
So page-one.php contains a hyperlink:
http://example.com/add.php?c=359
and on add.php
header('Location: http://example.com/rows.php');
on rows.php I am expecting add.php to be the referer but it isn't instead page-one.php is.
How do I make add.php to be the referer cos that's where it is being redirected from?
The usual way it is with $_SESSION variables. Whenever you need to show a message add it:
$_SESSION['messages'][] = "your message";
Then, when you are on a page (any non-redirected page), show all of them and erase the content with:
$_SESSION['messages'] = array();
im developing php and my webpage urls are like this
http://localhost/myweb/?action=news
http://localhost/myweb/?action=my_profile
http://localhost/myweb/?action=my_upload
http://localhost/myweb/?action=my_collection
http://localhost/myweb/?action=chat
http://localhost/myweb/?action=my_friends
etc
and for example, in particular page there's delete feature that access a href link
http://localhost/myweb/?action=my_friends&delete=2414535435 <-friends id
i do this to make it tidy by making the link cant be seen without looking at the source
a href='#'
and using javascript to access the real link
$('.deleteclass').on('click', function () {
var name= $(this).attr('nameattr');
if(confirm('You sure want to delete '+name+'?')){
window.location='?action=my_friends&delete='+this.id;
}
});
the problem is, after i process the delete and load the page, i don't want the full link on the address bar.
http://localhost/myweb/?action=my_friends&delete=2414535435
i need to make it back look like this on the address bar
http://localhost/myweb/?action=my_friends
is it possible? through mod rewrite perhaps?
you can not strip a url after the browser has loaded the page.
Just do a redirect after your delete or other action.
header('Location: /myweb/?action=my_friends');
Add error/success messages to a session variable (in the action script before doing the header) so you can show them on the other page
$_SESSION['errors'] = "Delete Failed: For Some Reason";
And on the other pages check to see if the session variable exists, show it and then remove it (otherwise it will stay there and the pages will continue to think there was an error)
<?php
if(isset($_SESSION['errors'])) {
//Do some code to show the error
...
unset($_SESSION['errors']); //delete the error messages
}
is it possible to run update query only once, here i have a link or button where if he clicked his profile will be changed(updated) automatic and brought him at myaccount.php page .
All thing going fine and working properly but the main problem occuring when reloading the same page(myaccount.php) and his profile updating with every time. But i want his profile should only change when he clicked the link or that button only once...i set link as
<a href='myaccount.php.php?age =$age && status= $status' target='_blank' style='color:#E07707;font-weight:bold;'>Update Profile</a></div></div><br>
and I set update query on myaccount.php as:
if(($age== '') || ($location= '') || ($status= ''))
{
$newquery1 = "update $tabl_u something...................... where id='$id'";
}
there is no submit button no other events for update data, but only clicked by url or link where i passed some id for update data, i hope my question is done by my side and hope you will understand if something i missed or missing please let me know ...feel free to ask anything regarding my question..plz help i realy need help....thanks in advance !
You should never do any data change in a GET request.
As said in the HTML 4 and HTTP specifications
If the processing of a form is idempotent (i.e. it has no lasting observable effect on the state of the world), then the form method should be GET. Many database searches have no visible side-effects and make ideal applications of query forms.
If the service associated with the processing of a form has side effects (for example, modification of a database or subscription to a service), the method should be POST.
For example, what happens if the user has a "web accelerator" that pre loads all the urls on the page ?
You should also check that the request indeed come from the user on your website, or you open the door to a very easy CSRF vulnerability.
With that said, the usual method to fix what you want is that, after updating the user status in your database, you should issue a redirect to the non-modifying page.
base page -> click on change link -> change the status in database and redirect to base page again
<?php
if(($age== '') || ($location= '') || ($status= '')) {
mysqli_query(/* update whatever */);
header('Location: myaccount.php');
exit;
}
If he refresh the page, he is on base page so it won't change anything.
If he press "back" in his browser, he goes back to the page base too (pages that issues a redirect aren't saved in the browser history).
After you do the update, don't output anything. Instead, send the user somewhere else, for example:
header("Location: myaccount.php");
exit(0);
That way, the GET data is lost from the link and reloads won't repeat the update, while clicking the "Back" button would take the user to the page (probably the form) before the update, so - again - the update will not be repeated.
session_start();
if(isset($_GET)) {
if(empty($_SESSION['update'])) {
//update data
$_SESSION['update'] = 'Finished';
echo 'updating is finished';
}else{
echo 'Your details have beed updated already';
}
}
I have a PHP site (with CodeIgniter) that includes a registration form. I have a page with some details, which links to the form on a separate page. The form posts to a third URL which does the processing and redirects back to the first page if it's successful (or the form page if not).
Currently I am adding a parameter for success: example.com/page?success=1 which shows a success message. The problem is that some people have been sharing this URL (and clicking the Facebook Like button) so when another user opens that URL they see a message "thanks for registering!" which they obviously haven't done yet.
I thought this was the standard way of doing forms (submitting to one URL and redirecting to another) but is there a better way? I don't want to post back to the same page because then you get the POSTDATA warning when trying to reload the page.
You have three ways to do this
The way you're using
Not actually redirecting but sending request(s) with AJAX
SESSION (or, in edge case, cookies)
If you select to use SESSION, you can just assign a session variable to true
$_SESSION['registered'] = true;
and checking it on the first page
if (isset($_SESSION['registered'])) {
unset($_SESSION['registered']);
// shot the message
}
Typically you would set your flag for success in the session to display this message when the next page loads. This is commonly referred to as a Flash Message. You would then check the value/existence of this session flag and show your message or not accordingly. In most frameworks there is built in functionality for this which includes the clean up of the flag on the next request so that the message is only displayed directly after the action generating it is taken.
From the CI Sessions Documentation:
CodeIgniter supports "flashdata", or session data that will only be
available for the next server request, and are then automatically
cleared. These can be very useful, and are typically used for
informational or status messages (for example: "record 2 deleted").
Note: Flash variables are prefaced with "flash_" so avoid this prefix
in your own session names.
To add flashdata:
$this->session->set_flashdata('item', 'value');
You can also pass an array to set_flashdata(), in the same manner as
set_userdata().
To read a flashdata variable:
$this->session->flashdata('item');
If you find that you need to preserve a flashdata variable through an
additional request, you can do so using the keep_flashdata() function.
$this->session->keep_flashdata('item');
You should have some verification checks in your code that handles the processing of the form data to make sure that the required fields are filled out. Otherwise, you should be redirecting to your first page to have the user fill out the form.
Also, this could be handled via AJAX, but that would be a second step to having the proper verification in your form-processing page
HTML:
<form method="post">
<input type="text">
<input name="submitted" type="submit">
</form>
PHP:
if($_POST['submitted']{
//post was submitted process it
if(/*whatever you're doing to the form succeeds*/){
//show success
}
}
POST will not show variables in the URL.
Several solutions here, one would be to check for the form submission and if it hasn't been submitted redirect to the page with the form on it.
ie:
<?php
if (isset($_POST['submit']))
{
// process the form
}
else
{
//redirect to the form itself
header( 'Location: http://www.yourform.com' ) ;
}
?>