I have some strange issue using jQuery Validation plugin. Firs of all here is my code:
formvalid.js
var v = jQuery("#sendform").validate({
rules: {
/* some other rules */
captcha: {
required: true,
remote: "securimage/process.php"
}
},
messages: {
/* some other messages */
captcha: {
required:"Security code is required",
remote:"Security code is incorrect!"
}
}
});
process.php
<?php
/* I tried with and without session_start().
Both ways works with same probelm (read next)*/
//session_start();
include_once '../securimage/securimage.php';
$securimage = new Securimage();
if ($securimage->check($_GET['captcha']) == false)
echo "false";
else
echo "true";
?>
sendform.php
<?php
include_once 'securimage/securimage.php';
//echo $_POST['captcha'];
$securimage = new Securimage();
//echo "<br/>".$securimage->getCode();
if($_POST['captcha'] && $securimage->check($_POST['captcha']))
{
//do sending
}
?>
So, the problem is when I'm checking security code with AJAX request, ajax works fine, but when I'm send the form, $securimage->check($_POST['captcha']) in sendform.php returns false. Then I tried to disable remote capctha validation and viola $securimage->check($_POST['captcha']) in sendform.php returned true!
As you can see I echo some values in sendform.php and result is:
Case #1: AJAX captcha validation enabled.
Results:
echo $_POST['captcha']; // User_input_value;
echo $securimage->getCode(); // nothing
$securimage->check($_POST['captcha']) // false
Case #2: AJAX captcha validation disabled.
Results:
echo $_POST['captcha']; // User_input_value;
echo $securimage->getCode(); // code from image
$securimage->check($_POST['captcha']) // true (if equals)
Anyone know how to make it work?
Thanks for any advice.
To prevent resetting captch, you should validate yourself without calling check() function in process.php like below code
<?php
include_once 'securimage.php';
if(!isset($_GET['txtcaptcha']))
return 'false';
$securimage = new Securimage();
$securecode = $securimage->getCode();
if (strtolower($securecode) != strtolower($_GET['txtcaptcha']))
echo "false";
else
echo "true";
?>
Almost same question was asked a while ago, it seems that the captcha is resetting after each check.
What I suggest is to have a flag in your session that you would set to TRUE in your process.php after a valid captcha and then checking it instead of $securimage->check($_POST['captcha']) in your sendform.php:
if ($securimage->check($_GET['captcha']) == false) {
$_SESSION['valid'] = FALSE;
echo "false";
} else {
$_SESSION['valid'] = TRUE;
echo "true";
}
And:
if($_POST['captcha'] && isset($_SESSION['valid']) && $_SESSION['valid']) // set it back to false inside this!
Now here are two notes:
Since you are having two separate calls, some one can still change the captcha between the two calls
Since it's only a captcha and you most probably is using it to prevent spam, I wouldn't bother using the technique I posted above! actually I wouldn't even bother doing another captcha check in the sendform.php
Of course someone could spam you, but then and if you really need to use Ajax, then you have to stop processing the captcha in the jQuery plugin and just validate it when you submit your form, just like the original documentation approach.
Related
i have a multi step form and want to condition users on specific sites on my web .
This mean i want that only after submitting my form a client in my case can see the redirected page ,
And that with a kinda tim-out for that page to . this redirected page need to show only to those people who fill the form first even when users copy the link and give that link to somebody else the link should not work or should direction in a error. i have archived the last part partly
Here is all my code :
On the form.php i have this :
<?php
session_start(); $_SESSION['form_finished'] = true;
?>
On the proces.php i have this :
$emotion = $_POST['emotion'];
if($emotion == 'Basic Pack') {
session_start();
$_SESSION['form_finished'] = true;
header('Location: /new/basicc.php');
} elseif($emotion == 'Deluxe Pack') {
header('Location: html6.php');
} elseif($emotion == 'Premium Pack') {
header('Location: html7.php');
}
and destination site in this case basicc.php' this :
<?php
session_start();
if(!$_SESSION['form_finished']) {
header("HTTP/1.0 404 Not Found");
exit;
}
?>
This code is working partly because if the user on the form.php site if he just copy the basicc.php link on the address bar he can see the basic.php site imadtitly without having to fill the form , and i want that to condition him to do that and than the page to show up .
I hope i was clear thanks in advance
If proces.php is where submitting the form redirects then remove $_SESSION['form_finished'] = true; from form.php and keep it in proces.php only.
ETA: For the timer:
<script>
var remainingSeconds = 600; // how many second before redirect
function counter() {
if (remainingSeconds == 0) { clearInterval(countdownTimer); window.open('form.php', '_SELF'); // return to form page
} else { remainingSeconds--; }
}
var countdownTimer = setInterval('counter()', 1000); // 1000 is the interval for counting down, in this case 1 second
</script>
In this case, you will have to add back the statement in form.php but set it to false $_SESSION['form_finished'] = false;
ETA2: Forgot to mention that you should also add $_SESSION['form_finished'] = false; in basicc.php.
Yes you could just use a simple session for this case. Example:
If in your form action, if the form processing is in process.php. You could initialize there the session.
session_start();
$emotion = $_POST['emotion'];
$_SESSION['form_finished'] = true; // set session
// then your other process etc. etc.
if($emotion == 'Basic Pack') {
header('Location: /new/basicc.php');
} elseif($emotion == 'Deluxe Pack') {
header('Location: html6.php');
} elseif($emotion == 'Premium Pack') {
header('Location: html7.php');
}
And then on the destination files: /new/basicc.php and others, check that session existence:
/new/basicc.php and others:
if(isset($_SESSION['form_finished'])) { // so after redirection check this
//
// hello, i came from process.php
unset($_SESSION['form_finished']); // and then UNSET it! this is important
} else {
echo 'not allowed'; // if this is not set, the page is directly accessed, not allowed
exit;
}
I think the best solution is that you should only use one page, no need for sessions ;)
Try to have a particular variable set to false, send your form to the server using a POST method <form method=post> and on your server, change this variable to true and render the same page again.
In the example below, I'm checking if the user has entered his name in the form. ;)
<!-- In form.php -->
<?php
$formSubmitted = false;
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST["name"])) {
//Do what you need to do with form data, for example:
$name = filter_var($_POST["name"],FILTER_SANITIZE_STRING);
//Maybe do some checks on the data (or add to database) and when successful:
if($name != '')
{
$formSubmitted = true; // Set variable to true
}
}
?>
<?php if($formSubmitted): ?>
Hello <?php echo $name; ?>! <!-- Show all other HTML things you want to show -->
<p> This is a message only for people who submitted the form! </p>
<?php else: ?>
<form action='form.php' method='POST'>
<input name='name' type='text'>
</form>
<?php endif; ?>
I hope it'll be useful and hopefully a different way to look at the problem. For multi-step, this could easily accommodate more variables to see which step the user is on ;)
Good luck :)
<?php
$_SESSION['csrf_token'] = md5(uniqid(rand(), true));
?>
<?php
$csrf1 = $_POST['csrf_token'];
$csrf2 = $_SESSION['csrf_token'];
if($csrf1 === $csrf2) {
//not executing
} else {
}
?>
javascript
var csrf = "<?php echo $_SESSION['csrf_token']; ?>";
var ajax = ajaxObj("POST", "index.php");
ajax.onreadystatechange = function() {
if(ajaxReturn(ajax) == true) {
if(ajax.responseText != "success"){
} else {
window.location.replace("login.php");
}
}
}
ajax.send("csrf_token="+csrf);
}
return false;
So, here's some PHP from my code that generates a CSRF token, puts it in session, then checks whether the session value and the POST value are the same. The problem is, the if statement isn't executing. When I echo out the session token right before I send off the request using ajax, the session token is the same. I'm fairly sure that the session token is changing, and I am unsure why.
Edit: I added my javascript. I removed a lot from it, so I hope I didn't mess anything up on it.
A very important piece of information OP failed to provide is that the request goes to the same script that makes his token. Therefore, what is happening is exactly what is supposed to happen. Here is a solution I provided to him on a different website.
<?php
if((isset($_SESSION['csrf_token'], $_SESSION['time']) && time() - $_SESSION['time'] > 60) || !isset($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = md5(uniqid(rand(), true));
$_SESSION['time'] = time();
}
?>
if($csrf1 === $csrf2) {
change so: if($csrf1 == $csrf2) {
I would echo the contents and visually compare the two to check for identical values. For what it is worth, have you tried strcmp()?
if(strcmp($csfr1, $csfr2) == 0) {
//Got a match
} else {
//No match, look at the two strings for debug purposes.
print("<pre> CSRF1: $csrf1 \n CSRF2: $csrf2 </pre>");
}
i'm working on a php assignment for log in function using .txt file instead of db, but i'm facing with some sort of problem here. supposedly the "invalid email or password" to be shown after a non exist details key in, but when the page load, the msg showed by default, below is my code
<?php
$lines= file("customers.txt");
$matchFound=false;
$errmsg = 'Invalid email or password';
for($i=0;$i<count($lines);$i++)
{
if ($i!=0)
{
$line=trim($lines[$i]);
$cells=explode("\t",$line);
$_SESSION['email'] = isset($_POST['email'])? $_POST['email'] : null;
$_SESSION['password'] = isset($_POST['password']) ? $_POST['password'] : null;
if ($_SESSION['email']==$cells[2] && $_SESSION['password']==$cells[3])
{
$matchFound=true;
break;
}
}
}
if ($matchFound == true)
{
header('Location: login2.php');
}
else
{
echo $errmsg;
}
?>
This is because you're not checking if the user submitted the form input correctly. The value of $matchFound is FALSE by default, and the error message will always be displayed when the script is ran.
Specify a name attribute for your form submit button, and then add an if block to make sure the form was correctly submitted:
if (isset( $_POST['submitButton'] )) {
# code...
}
That way, the code inside the if block won't be run if the user input wasn't received and you could avoid the error being displayed every time you load the page.
Also, you're missing the session_start() statement at the top of your script. This is required if you want the sessions to work properly.
Try:
if ($matchFound == true)
{
header('Location: login2.php');
}
else if(isset($_POST['email']))
{
echo $errmsg;
}
Also you need session_start to use $_SESSION array
I'd like to have my website redirect to the previous page after submitting login info.
I have searched around for this problem
I have echoed the contents of $url and even did strcmp and it evaluates true (not shown here)
Problem: The ELSE statement always evaluates even though $url == mlbmain.php OR course-website.php
Any suggestions?
<?PHP
require_once("./include/membersite_config.php");
echo "</br> </br> </br> </br>";
$url = isset($_GET['return_url']) ? $_GET['return_url'] : 'login.php';
//url now == to /mlbmain.php OR /course-website.php
$url = substr($url,1);
//url now == to mlbmain.php OR course-website.php
echo $url; //Just to make sure
$url = trim($url); //trim it to make sure no whitespaces
echo "</br>";
echo $url; //Just to make sure it's still the same
if(isset($_POST['submitted']))
{
if($fgmembersite->Login())
{
if($url == "mlbmain.php"){
$fgmembersite->RedirectToURL("mlbmain.php");
}
else if($url == "course-website.php"){
$fgmembersite->RedirectToURL("course-website.php");
}
else
$fgmembersite->RedirectToURL("index.php");
}
}
?>
After you press the Submit button you are making a POST request and the return_url variable will not be available anymore which was set with a GET request. You could create a hidden input field that will store the redirect_url and submit it with the form.
Since you say
It seems to be going to index.php by default
The problem is probably either with
if(isset($_POST['submitted']))
or
if($fgmembersite->Login())
and not related to $url at all.
I guess it can not find mlbmain.php or course-website.php at the current folder, so it throws 404 not found an probably you managed this error to redirect to index.php
I would to redirect to the next page after the form is completed and the submit button is pressed. This code works well on a windows server, but it fails to redirect to the next page on a linux server
<?php
include 'scripts/functions/init.php';
Restrict();
?>
<?php
$userid = $_SESSION['userid'];
if (empty($_POST)=== false)
{
$R_fields = array('OFO_Code','OFO_Title','Curr_Code','Curr_Title');
foreach($_POST as $key=>$value)
{
if (empty($value) && in_array($key,$R_fields)=== true)
{
$errors[] = 'fields marked with (*) are required';
break 1;
}
}
$_SESSION['Combo'] = $_SESSION['OFO_Code'].$_SESSION['Curr_Code'];
if(empty($errors)=== true)
{
if(Curr_Code_exists($_SESSION['Combo']))
{
$errors[] = 'Sorry, the Curriculum Code already exist, please use the edit function';
}
if(strlen('Curr_Code')<6)
{
$errors[] ='Curriculum Code must be at least 6 Characters';
}
}
}
?>
the above code appears just before the html, followed by the form. then just after the submit button follows the following and it also lies within the within
<?php
$_SESSION['OFO_Code'] = $_POST['OFO_Code'];
$_SESSION['Curr_Code'] = $_POST['Curr_Code'];
if(empty($_POST) === false && empty($errors)=== true)
{
//Capture data from the fields to an array
$Capture_Occupation_info = array(
'OFO_Code' => $_SESSION['OFO_Code'],
'OFO_Title'=>$_POST['OFO_Title'],
'Curr_Code'=>$_SESSION['Combo'],
'Curr_Title'=>$_POST['Curr_Title'],
'userid'=>$userid);
//Submit the data into the database
capture_occupation_info($Capture_Occupation_info);
header('Location:Capture_Menu.php');
exit();
}
else
{
//Display errors
echo output($errors);
}
?>
This is a complete shot in the dark, but might be right on. Windows is not case sensative, but NIX is.
Capture_Menu.php
Is that exactly how it is capitalized on your UNIX box?
Also, you can not display or echo to the browser before doing a header redirect. Please check for echos or even lose blank spaces after things like ?>
I have had redirections not work before because my code printed something to the output that I didn't do on purpose.
You can try this...
error_reporting(E_ALL);
ini_set('display_errors', 'On');