Page 1 of 1

Back button problem: PHP-to-MySQL form

Posted: Fri Oct 18, 2002 1:29 am
by the_wolf
Hi to everyone,

i am developing a MySQL / PHP based website with a superuser level to define workflows, objects etc. and different GUI's for 'normal' users to add, alter or to delete content to/from the DB's. Its all working fine except the back button problem.

To alter a data record, the user has to select the record from a list and to hit a link like

Code: Select all

<?php
change.php3?department=$department&aid=$id
?>
Afterwards, he gets a form with all the DB stuff related to this record:

Code: Select all

<?php

$LANG = 'en';
$department = $_GET&#1111;"department"];

$aid = $_GET&#1111;"aid"];

$hostname = "localhost";
$username = "xxx";
$password = "xxx";
$dbName = "DBsomewhat";

$userstable = "tablesomewhere";

MYSQL_CONNECT($hostname,$username,$password) OR DIE("Database connection failed.");

@mysql_select_db("$dbName") or die("Database not found.");

$query = "SELECT id, l01, ..., l44 FROM $userstable WHERE id = '$aid'";

$erg = MYSQL_QUERY($query);

$numrows = MYSQL_NUM_ROWS($erg);

if ($numrows > '0') &#123;
	
	$i = 0;
	
	$id = mysql_result($erg,$i,"id");
	$l01 = mysql_result($erg,$i,"l01");
	$l02 = mysql_result($erg,$i,"l02");
	
   #a lot more

	$l43 = mysql_result($erg,$i,"l43");
	$l44 = mysql_result($erg,$i,"l44");&#125;
	
	else &#123;&#125;
			
?>

<FORM ACTION>...</FORM>
When finished working, the form is sent to a PHP script which does

Code: Select all

<?php
$LANG = 'en';
$department = $_POST&#1111;"department"];

$aid = $_POST&#1111;"aid"];

$l01 = $_POST&#1111;"l39"];
$l02 = $_POST&#1111;"l40"];

# a lot more

$l43 = $_POST&#1111;"l33"];
$l44 = $_POST&#1111;"l43"];

$hostname = "localhost";
$username = "xxx";
$password = "xxx";
$dbName = "DBsomewhat";

$userstable = "tablesomewhere";

MYSQL_CONNECT($hostname,$username,$password) OR DIE("Database connection failed.");

@mysql_select_db("$dbName") or die("Database not found.");

$dquery = "DELETE FROM $userstable WHERE id='$aid'";

$derg = MYSQL_QUERY($dquery);

$query = "INSERT INTO $userstable (l01, l02, ..., l43, l44) ";

$query=$query."VALUES('$l01', '$l02' ..., '$l43', '$l44')";

$erg = MYSQL_QUERY($query);

?>

and displays the changes he made. BUT: if he then hits the back button, $aid is lost and a DoS attack on apache logs starts :wink: ... has anyone an idea how i can effectively bar the user from hitting the back button?

Thanx in advance, the_wolf

Posted: Fri Oct 18, 2002 6:02 am
by twigletmac
One way is to use header() to send the user to a new page to display the information.

Mac

Posted: Fri Oct 18, 2002 10:58 am
by rlogin
You can set a flag to disallow browser back button bringing in old data.