php automatic refresh after form submit

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

php automatic refresh after form submit

Post by DonPatricio91 »

hello,
i got a form on my page. In the forms there are different values, selected from the mysql database. I am able to update the form, with typing anything in the form and click on the submit button. The value is automatically updated in the mysql database, but to show the value in the form I need to refresh my browser in order to see the new value in the form. How is it possible that i don't need to refresh and the updated value gets shown right away?

If necessary, here is the code:

Code: Select all

<?php

mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());



$username = $_COOKIE['ID_my_site'];

$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{

			echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
			echo "First Name:&nbsp;<input type='text' value='$output[first_name]' name='first_name_output'>";
			
			echo "<p>";



	}



?>

<input type="submit" name="submit" value="submit">
</form>



<?php



	if (isset($_POST[submit]))
	{

	
	mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");  
	mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
	
	}

?>
Sorry for the unstructured and unprofessional code. I hope that someone can tell me how to do this refresh?
Thanks a lot!
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Place the code wrapped by if (isset($_POST[submit])) at the front of the script (after the DB connection code).
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

IF I do that the script doesn't even work. No values are being updates in the db. however if I i move it above
echo "<form method='POST' action ='profile_edit.php'>";
the script works, but same result, i would have to refresh my page in order to be able to see the updated results.


Should that really work what you tolld me? however, i'm hopping for some more suggestions. thanks
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Can we see the modified code?

Also, there are a number of SQL and XSS injection vulnerabilities in your applications. You would do well to turn off magic quotes and use mysql_real_escape_string()
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

this

Code: Select all

<?php



mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());

if (isset($_POST[submit]))
	{

	
	mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");  
	mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
	




	}


$username = $_COOKIE['ID_my_site'];

$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");





mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());

if (isset($_POST[submit]))
	{

	
	mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");  
	mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
	




	}




echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{

			echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
			echo "First Name:&nbsp;<input type='text' value='$output[first_name]' name='first_name_output'>";
			



			echo "<p>";



	}



?>

<input type="submit" name="submit" value="submit">
</form>











<p>
<a href="members.php">Back</a>

Code: Select all

<?php



mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());

if (isset($_POST[submit]))
	{

	
	mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");  
	mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
	




	}


$username = $_COOKIE['ID_my_site'];

$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");









echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{

			echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
			echo "First Name:&nbsp;<input type='text' value='$output[first_name]' name='first_name_output'>";
			



			echo "<p>";



	}



?>

<input type="submit" name="submit" value="submit">
</form>











<p>
<a href="members.php">Back</a>
didn't work. the last example didn't even update the values in the db.
can we talk about the vulnerabilities later, i'd like to get that working first, thanks so much
Last edited by DonPatricio91 on Wed Dec 12, 2007 9:30 pm, edited 1 time in total.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

$username has not been defined; my fault, I told you to move the block too far up. Move $username = $_COOKIE['ID_my_site']; before the mysql_query updates.
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

thanks, it works like that

Code: Select all

<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());

$username = $_COOKIE['ID_my_site'];

if (isset($_POST[submit]))
	{

	mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");  
	mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
	}


$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");





echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{

			echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
			echo "First Name:&nbsp;<input type='text' value='$output[first_name]' name='first_name_output'>";
			
			echo "<p>";

	}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
so, what about the vulnerabilities.
i looked that up:
http://docs.php.net/manual/en/function. ... string.php

however, i'm not sure how to modify my code.
how can i eliminate the vulnerabilities etc.?
Last edited by DonPatricio91 on Wed Dec 12, 2007 9:44 pm, edited 2 times in total.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Hmm, I think we should do this step by step.

Step 1: When you use double quotes, you have the ability to interpolate variables, i.e. "a $var" becomes "a cow" if $var == 'cow'. Interpolation, usually, is the wrong way to go about things for SQL, because strings need to be escaped to prevent people from inserting things like "'; DROP TABLE foo". Here is the first thing I'll ask you to do:

Remove any interpolated variables from the strings, and replace them with simpler variable names, which you assign and escape before the string. Example:

Code: Select all

mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
becomes

Code: Select all

$sql_username_output = mysql_real_escape_string($_POST['username_output']);
$sql_username = mysql_real_escape_string($username);
mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");
Please use the $sql_ prefix.
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

ok, i am working on that, give me a second, thanks
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Sure. Please post your updated code here, and make sure it still works!
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

ok, my updated code is as following:

Code: Select all

<?php

mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());

$username = $_COOKIE['ID_my_site'];

if (isset($_POST[submit]))
	{

	
			$sql_username_output = mysql_real_escape_string($_POST['username_output']);
			$sql_username = mysql_real_escape_string($username);
			mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR"); 


			$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);			
			mysql_query("UPDATE users SET username='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR"); 
	
	
	}


$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");


echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{

			echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
			echo "First Name:&nbsp;<input type='text' value='$output[first_name]' name='first_name_output'>";
		

			echo "<p>";

	}



?>

<input type="submit" name="submit" value="submit">
</form>



<p>
<a href="members.php">Back</a>
Unfortunately it doesn't work. What is happening is that if i update the first name, it doesnt change in the db. However what I update in the form first name the value of the username gets updated. so something is kind of messed up. again when i update first name, username is getting updated.

Edit: All I altered were the 2 queries
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

sry it works :

Code: Select all

<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());


$username = $_COOKIE['ID_my_site'];

if (isset($_POST[submit]))
	{

	
			$sql_username_output = mysql_real_escape_string($_POST['username_output']);
			$sql_username = mysql_real_escape_string($username);
			mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR"); 



			$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);			
			mysql_query("UPDATE users SET first_name='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR"); 
	
	
	}




$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");



echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{

			echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
			echo "First Name:&nbsp;<input type='text' value='$output[first_name]' name='first_name_output'>";
			

			echo "<p>";


	}



?>

<input type="submit" name="submit" value="submit">
</form>



<p>
<a href="members.php">Back</a>
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Ok. Now for XSS injection protection:

Step #2: Whenever you echo anything the user gave you through $_POST, $_COOKIE, etc, run it through htmlspecialchars(). If you are placing them in an attribute delimeted with single quotes ', use htmlspecialchars($string, ENT_QUOTES);. You may need to break things out of the interpolation, like you did before. Prefix variable names with $html_
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

Oh wow, I'm sorry i really don't understand what i am supposed to do, i actually just learned php, i know all the basics and suddenly somebody tells me that my script is unsafe. that is kind of scary. It would be great if you could give me an example regarding my code, because i really have no clue. it was easy to work on the first part, because you gave me an example, though.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

PHP's very powerful, so it's easy to shoot yourself in the foot. Don't worry; after a while these things will become second nature.

Code: Select all

echo "Username:&nbsp;<input type='text' value='$output[username]' name='username_output'><p>";
Becomes:

Code: Select all

$html_username = htmlspecialchars($output['username'], ENT_QUOTES);
echo "Username:&nbsp;<input type='text' value='$html_username' name='username_output'><p>";
Post Reply