Page 1 of 2
php automatic refresh after form submit
Posted: Wed Dec 12, 2007 7:03 pm
by DonPatricio91
hello,
i got a form on my page. In the forms there are different values, selected from the mysql database. I am able to update the form, with typing anything in the form and click on the submit button. The value is automatically updated in the mysql database, but to show the value in the form I need to refresh my browser in order to see the new value in the form. How is it possible that i don't need to refresh and the updated value gets shown right away?
If necessary, here is the code:
Code: Select all
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<?php
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
?>
Sorry for the unstructured and unprofessional code. I hope that someone can tell me how to do this refresh?
Thanks a lot!
Posted: Wed Dec 12, 2007 8:45 pm
by Ambush Commander
Place the code wrapped by if (isset($_POST[submit])) at the front of the script (after the DB connection code).
Posted: Wed Dec 12, 2007 9:21 pm
by DonPatricio91
IF I do that the script doesn't even work. No values are being updates in the db. however if I i move it above
echo "<form method='POST' action ='profile_edit.php'>";
the script works, but same result, i would have to refresh my page in order to be able to see the updated results.
Should that really work what you tolld me? however, i'm hopping for some more suggestions. thanks
Posted: Wed Dec 12, 2007 9:24 pm
by Ambush Commander
Can we see the modified code?
Also, there are a number of SQL and XSS injection vulnerabilities in your applications. You would do well to turn off magic quotes and use
mysql_real_escape_string()
Posted: Wed Dec 12, 2007 9:26 pm
by DonPatricio91
this
Code: Select all
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
$username = $_COOKIE['ID_my_site'];
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
Code: Select all
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
$username = $_COOKIE['ID_my_site'];
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
didn't work. the last example didn't even update the values in the db.
can we talk about the vulnerabilities later, i'd like to get that working first, thanks so much
Posted: Wed Dec 12, 2007 9:28 pm
by Ambush Commander
$username has not been defined; my fault, I told you to move the block too far up. Move $username = $_COOKIE['ID_my_site']; before the mysql_query updates.
Posted: Wed Dec 12, 2007 9:33 pm
by DonPatricio91
thanks, it works like that
Code: Select all
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
so, what about the vulnerabilities.
i looked that up:
http://docs.php.net/manual/en/function. ... string.php
however, i'm not sure how to modify my code.
how can i eliminate the vulnerabilities etc.?
Posted: Wed Dec 12, 2007 9:38 pm
by Ambush Commander
Hmm, I think we should do this step by step.
Step 1: When you use double quotes, you have the ability to interpolate variables, i.e. "a $var" becomes "a cow" if $var == 'cow'. Interpolation, usually, is the wrong way to go about things for SQL, because strings need to be escaped to prevent people from inserting things like "'; DROP TABLE foo". Here is the first thing I'll ask you to do:
Remove any interpolated variables from the strings, and replace them with simpler variable names, which you assign and escape before the string. Example:
Code: Select all
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
becomes
Code: Select all
$sql_username_output = mysql_real_escape_string($_POST['username_output']);
$sql_username = mysql_real_escape_string($username);
mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");
Please use the $sql_ prefix.
Posted: Wed Dec 12, 2007 9:50 pm
by DonPatricio91
ok, i am working on that, give me a second, thanks
Posted: Wed Dec 12, 2007 9:51 pm
by Ambush Commander
Sure. Please post your updated code here, and make sure it still works!
Posted: Wed Dec 12, 2007 9:57 pm
by DonPatricio91
ok, my updated code is as following:
Code: Select all
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];
if (isset($_POST[submit]))
{
$sql_username_output = mysql_real_escape_string($_POST['username_output']);
$sql_username = mysql_real_escape_string($username);
mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");
$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);
mysql_query("UPDATE users SET username='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR");
}
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
Unfortunately it doesn't work. What is happening is that if i update the first name, it doesnt change in the db. However what I update in the form first name the value of the username gets updated. so something is kind of messed up. again when i update first name, username is getting updated.
Edit: All I altered were the 2 queries
Posted: Wed Dec 12, 2007 9:59 pm
by DonPatricio91
sry it works :
Code: Select all
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];
if (isset($_POST[submit]))
{
$sql_username_output = mysql_real_escape_string($_POST['username_output']);
$sql_username = mysql_real_escape_string($username);
mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");
$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);
mysql_query("UPDATE users SET first_name='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR");
}
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
Posted: Wed Dec 12, 2007 10:09 pm
by Ambush Commander
Ok. Now for XSS injection protection:
Step #2: Whenever you echo anything the user gave you through $_POST, $_COOKIE, etc, run it through htmlspecialchars(). If you are placing them in an attribute delimeted with single quotes ', use htmlspecialchars($string, ENT_QUOTES);. You may need to break things out of the interpolation, like you did before. Prefix variable names with $html_
Posted: Wed Dec 12, 2007 10:22 pm
by DonPatricio91
Oh wow, I'm sorry i really don't understand what i am supposed to do, i actually just learned php, i know all the basics and suddenly somebody tells me that my script is unsafe. that is kind of scary. It would be great if you could give me an example regarding my code, because i really have no clue. it was easy to work on the first part, because you gave me an example, though.
Posted: Wed Dec 12, 2007 10:26 pm
by Ambush Commander
PHP's very powerful, so it's easy to shoot yourself in the foot. Don't worry; after a while these things will become second nature.
Code: Select all
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
Becomes:
Code: Select all
$html_username = htmlspecialchars($output['username'], ENT_QUOTES);
echo "Username: <input type='text' value='$html_username' name='username_output'><p>";