Page 1 of 1
Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 12:29 pm
by JaneyMetro
I made a recipe site where I can update records via an edit page. After submitting the edits, I'd like the browser to automatically go back to the page I wanted to update to see the results. I thought about using JS to accomplish this:
Code: Select all
if(mysqli_query($con, $sql)){
echo "<script> alert('You have successfully updated.');
window.location.href='javascript:history.go(-2)';
</script>";
}else{
echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
}
but this only forces the browser to go back to the page and not a refreshed page with the changes visible. I need to manually refresh the page to see the results this way.
I also tried:
Code: Select all
if(mysqli_query($con, $sql)){
echo "<script> alert('You have successfully updated.');
window.location.href='01T.php?id=$id';
</script>";
}else{
echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
}
since 01T.php is the page with the displayed info on it, but that didn't work.
How do I redirect the browser to the same id that I edited (via the edit.php page) to see the results, using a more proper PHP solution?
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 12:34 pm
by Celauran
You could use a simple
header redirect or something like Symfony's
RedirectResponse
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 12:35 pm
by Christopher
In PHP, use header('Location:
http://mysite.com/myppage.php') to set the HTTP header to redirect. See the manual for the header() function.
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 12:59 pm
by JaneyMetro
I think the problem is that the edit page is willing to POST to the id in question (which is why the edits are made), but not go back to that id page because the edit.php page doesn't know what it is. I thought that just placing $id in the Location:
would work, but it doesn't return the id being edited. When I try this the page url that comes back is
... there's no actual id in the address.
I guess I'm trying to do two things; post the edit I made, and then go back to the original page id that I was making edits to so I can see the results.
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 1:07 pm
by Celauran
Sounds like $id isn't defined in that context. You must have it available, though, or the update itself would fail. Without seeing the code in question I can only guess, but maybe check in your $_POST array?
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 1:23 pm
by JaneyMetro
That would help, wouldn't it? This is the code for my edit.php page:
Code: Select all
<?php
include 'connect.php';
if(isset($_POST['btn_submit'])){
$sql = "UPDATE oppskrift_table SET category = '".$_POST['txt_category']."',
bilde = '".$_POST['txt_bilde']."',
title = '".$_POST['txt_title']."',
duration = '".$_POST['txt_duration']."',
servings = '".$_POST['txt_servings']."',
ingredients = '".$_POST['txt_ingredients']."',
directions = '".$_POST['txt_directions']."'
WHERE id = '".$_POST['id']."' ";
if(mysqli_query($con, $sql)){
echo "<script> alert('Your edits were made.');
window.location.href='01T.php?id=$id';
</script>";
}else{
echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
}
}
$id = '';
$category = '';
$bilde = '';
$title = '';
$duration = '';
$servings = '';
$ingredients = '';
$directions = '';
if (isset($_GET['id'])){
$sql = "SELECT id, category, bilde, title, duration, servings, ingredients, directions FROM oppskrift_table WHERE id=".$_GET['id'];
$result = mysqli_query($con, $sql);
if(mysqli_num_rows($result) > 0){
$row = mysqli_fetch_assoc($result);
$id = $row['id'];
$category = $row['category'];
$bilde = $row['bilde'];
$title = $row['title'];
$duration = $row['duration'];
$servings = $row['servings'];
$ingredients = $row['ingredients'];
$directions = $row['directions'];
}
}
?>
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 1:30 pm
by Celauran
So if you replaced $id with $_POST['id'], you'd end up with something like this
Code: Select all
<?php
include 'connect.php';
if (isset($_POST['btn_submit'])) {
$sql = "UPDATE oppskrift_table SET category = '".$_POST['txt_category']."',
bilde = '".$_POST['txt_bilde']."',
title = '".$_POST['txt_title']."',
duration = '".$_POST['txt_duration']."',
servings = '".$_POST['txt_servings']."',
ingredients = '".$_POST['txt_ingredients']."',
directions = '".$_POST['txt_directions']."'
WHERE id = '".$_POST['id']."' ";
if (mysqli_query($con, $sql)) {
header('Location: 01T.php?id=' . $_POST['id']);
exit;
} else {
echo "An error has occurred. Please go back and check the code: ".mysqli_error($con);
}
}
// rest of code below
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 1:31 pm
by Celauran
Also, I'd feel remiss not to mention that your queries leave you wide open to SQL injection. Take a look at prepared statements.
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 2:07 pm
by JaneyMetro
Celauran, that worked. Thank you very much!
I thought about being hacked. I took some measures to prevent this; one was to try to get Google to bypass my site for indexing by adding [text]<META NAME="GOOGLEBOT" CONTENT="NOINDEX, NOFOLLOW">[/text] at the top of the pages so they don't show up in a Google search. I also tried to avoid back-door viewings by redirecting direct landings to the index page, which is password protected. I'm hoping that's enough.
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 2:21 pm
by Celauran
None of those are going to protect you against SQL injection. I definitely recommend addressing that, but it's your site so it's your call.
Re: Display a (refreshed) page to see results
Posted: Wed Sep 07, 2016 10:32 pm
by Christopher
JaneyMetro wrote:I thought about being hacked. I took some measures to prevent this; one was to try to get Google to bypass my site for indexing by adding [text]<META NAME="GOOGLEBOT" CONTENT="NOINDEX, NOFOLLOW">[/text] at the top of the pages so they don't show up in a Google search. I also tried to avoid back-door viewings by redirecting direct landings to the index page, which is password protected. I'm hoping that's enough.
Yes, that is not providing actual protection. User the filter function (
http://us3.php.net/manual/en/function.filter-input.php). And also use prepared statements with mysqli.
Re: Display a (refreshed) page to see results
Posted: Thu Sep 08, 2016 5:20 pm
by JaneyMetro
Celauran wrote:None of those are going to protect you against SQL injection. I definitely recommend addressing that, but it's your site so it's your call.
I found a method W3 school recommends to prevent SQL injection; in the form action place
Code: Select all
action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"
. This should prevent special characters like [text]; : ' /[/text] from being accepted so no interjection commands can be made to the database.
Re: Display a (refreshed) page to see results
Posted: Fri Sep 09, 2016 1:12 am
by Christopher
Well don't trust W3 school. The $_SERVER["PHP_SELF"] may not be trustworthy -- be careful of $_SERVER vars. And you really want to urlencode URLs, not htmlspecialchars(). Better to have your base URL in your configuration so you know where it came from.