Display a (refreshed) page to see results

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
JaneyMetro
Forum Newbie
Posts: 6
Joined: Wed Sep 07, 2016 12:10 pm
Location: Toronto

Display a (refreshed) page to see results

Post by JaneyMetro »

I made a recipe site where I can update records via an edit page. After submitting the edits, I'd like the browser to automatically go back to the page I wanted to update to see the results. I thought about using JS to accomplish this:

Code: Select all

if(mysqli_query($con, $sql)){
    echo "<script> alert('You have successfully updated.');
            window.location.href='javascript:history.go(-2)';
          </script>";

 }else{
    echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
 }
but this only forces the browser to go back to the page and not a refreshed page with the changes visible. I need to manually refresh the page to see the results this way.

I also tried:

Code: Select all

if(mysqli_query($con, $sql)){
    echo "<script> alert('You have successfully updated.');
            window.location.href='01T.php?id=$id';
          </script>";

 }else{
    echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
 }
since 01T.php is the page with the displayed info on it, but that didn't work.

How do I redirect the browser to the same id that I edited (via the edit.php page) to see the results, using a more proper PHP solution?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Display a (refreshed) page to see results

Post by Celauran »

You could use a simple header redirect or something like Symfony's RedirectResponse
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Display a (refreshed) page to see results

Post by Christopher »

In PHP, use header('Location: http://mysite.com/myppage.php') to set the HTTP header to redirect. See the manual for the header() function.
(#10850)
User avatar
JaneyMetro
Forum Newbie
Posts: 6
Joined: Wed Sep 07, 2016 12:10 pm
Location: Toronto

Re: Display a (refreshed) page to see results

Post by JaneyMetro »

I think the problem is that the edit page is willing to POST to the id in question (which is why the edits are made), but not go back to that id page because the edit.php page doesn't know what it is. I thought that just placing $id in the Location:

Code: Select all

01T.php?id=$id
would work, but it doesn't return the id being edited. When I try this the page url that comes back is

Code: Select all

mysite.com/01T.php?id=
... there's no actual id in the address.

I guess I'm trying to do two things; post the edit I made, and then go back to the original page id that I was making edits to so I can see the results.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Display a (refreshed) page to see results

Post by Celauran »

Sounds like $id isn't defined in that context. You must have it available, though, or the update itself would fail. Without seeing the code in question I can only guess, but maybe check in your $_POST array?
User avatar
JaneyMetro
Forum Newbie
Posts: 6
Joined: Wed Sep 07, 2016 12:10 pm
Location: Toronto

Re: Display a (refreshed) page to see results

Post by JaneyMetro »

That would help, wouldn't it? This is the code for my edit.php page:

Code: Select all

<?php
include 'connect.php';
if(isset($_POST['btn_submit'])){
      $sql = "UPDATE oppskrift_table SET category = '".$_POST['txt_category']."', 
                        bilde = '".$_POST['txt_bilde']."',
							title = '".$_POST['txt_title']."',
								duration = '".$_POST['txt_duration']."',
									servings = '".$_POST['txt_servings']."',
										ingredients = '".$_POST['txt_ingredients']."',
											directions = '".$_POST['txt_directions']."'
               WHERE id = '".$_POST['id']."'   ";
     if(mysqli_query($con, $sql)){
        echo "<script> alert('Your edits were made.');
window.location.href='01T.php?id=$id';
</script>";
     }else{
        echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
     }
    }

	$id = '';
    $category = '';
    $bilde = '';
    $title = '';
	$duration = '';
	$servings = '';
	$ingredients = '';
	$directions = '';
	
    if (isset($_GET['id'])){
        $sql = "SELECT id, category, bilde, title, duration, servings, ingredients, directions FROM oppskrift_table WHERE id=".$_GET['id'];
        $result = mysqli_query($con, $sql);
        if(mysqli_num_rows($result) > 0){
          $row = mysqli_fetch_assoc($result);
          $id = $row['id'];
          $category = $row['category'];
          $bilde = $row['bilde'];
		  $title = $row['title'];
		  $duration = $row['duration'];
		  $servings = $row['servings'];
		  $ingredients = $row['ingredients'];
		  $directions = $row['directions'];
        }
        
    }

?>

User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Display a (refreshed) page to see results

Post by Celauran »

So if you replaced $id with $_POST['id'], you'd end up with something like this

Code: Select all

<?php

include 'connect.php';

if (isset($_POST['btn_submit'])) {
    $sql = "UPDATE oppskrift_table SET category = '".$_POST['txt_category']."',
        bilde = '".$_POST['txt_bilde']."',
        title = '".$_POST['txt_title']."',
        duration = '".$_POST['txt_duration']."',
        servings = '".$_POST['txt_servings']."',
        ingredients = '".$_POST['txt_ingredients']."',
        directions = '".$_POST['txt_directions']."'
        WHERE id = '".$_POST['id']."'   ";
    if (mysqli_query($con, $sql)) {
        header('Location: 01T.php?id=' . $_POST['id']);
        exit;
    } else {
        echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
    }
}
// rest of code below
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Display a (refreshed) page to see results

Post by Celauran »

Also, I'd feel remiss not to mention that your queries leave you wide open to SQL injection. Take a look at prepared statements.
User avatar
JaneyMetro
Forum Newbie
Posts: 6
Joined: Wed Sep 07, 2016 12:10 pm
Location: Toronto

Re: Display a (refreshed) page to see results

Post by JaneyMetro »

Celauran, that worked. Thank you very much!

I thought about being hacked. I took some measures to prevent this; one was to try to get Google to bypass my site for indexing by adding [text]<META NAME="GOOGLEBOT" CONTENT="NOINDEX, NOFOLLOW">[/text] at the top of the pages so they don't show up in a Google search. I also tried to avoid back-door viewings by redirecting direct landings to the index page, which is password protected. I'm hoping that's enough.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Display a (refreshed) page to see results

Post by Celauran »

None of those are going to protect you against SQL injection. I definitely recommend addressing that, but it's your site so it's your call.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Display a (refreshed) page to see results

Post by Christopher »

JaneyMetro wrote:I thought about being hacked. I took some measures to prevent this; one was to try to get Google to bypass my site for indexing by adding [text]<META NAME="GOOGLEBOT" CONTENT="NOINDEX, NOFOLLOW">[/text] at the top of the pages so they don't show up in a Google search. I also tried to avoid back-door viewings by redirecting direct landings to the index page, which is password protected. I'm hoping that's enough.
Yes, that is not providing actual protection. User the filter function (http://us3.php.net/manual/en/function.filter-input.php). And also use prepared statements with mysqli.
(#10850)
User avatar
JaneyMetro
Forum Newbie
Posts: 6
Joined: Wed Sep 07, 2016 12:10 pm
Location: Toronto

Re: Display a (refreshed) page to see results

Post by JaneyMetro »

Celauran wrote:None of those are going to protect you against SQL injection. I definitely recommend addressing that, but it's your site so it's your call.
I found a method W3 school recommends to prevent SQL injection; in the form action place

Code: Select all

action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"
. This should prevent special characters like [text]; : ' /[/text] from being accepted so no interjection commands can be made to the database.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Display a (refreshed) page to see results

Post by Christopher »

Well don't trust W3 school. The $_SERVER["PHP_SELF"] may not be trustworthy -- be careful of $_SERVER vars. And you really want to urlencode URLs, not htmlspecialchars(). Better to have your base URL in your configuration so you know where it came from.
(#10850)
Post Reply