button onclick not redirecting

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
mikeglaz
Forum Newbie
Posts: 9
Joined: Sat Mar 26, 2011 5:36 pm

button onclick not redirecting

Post by mikeglaz »

Can someone tell me why my 'Close' button doesn't redirect?
http://www.mikeglaz.com/wujek/manage.ph ... 0Hut&id=34

I have the following code for the 'Close' button:

Code: Select all

echo "<input type=\"button\" value=\"Close\" onclick=\"header(\"Location: manage.php?location=$location\")\">";
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: button onclick not redirecting

Post by McInfo »

You are mixing PHP and JavaScript.

PHP can use strings containing JavaScript, but the server doesn't understand or execute them. They are just strings. JavaScript that PHP writes will be interpreted and executed by the browser.

Likewise, JavaScript can use strings containing PHP code, but they are meaningless as instructions unless they are sent back to the server to be evaluated and executed there (very bad idea).

header() is a PHP function. In JavaScript, you redirect by giving the location property of the window object (window.location) a string containing the URI you want to go to.

Code: Select all

<input type="button" onclick="window.location='manage.php?location=art';" value="Close" />
Always make sure variable strings that you echo will not conflict with the surrounding HTML. Use htmlentities() to make your strings HTML-friendly.

Code: Select all

echo htmlentities($location);
mikeglaz
Forum Newbie
Posts: 9
Joined: Sat Mar 26, 2011 5:36 pm

Re: button onclick not redirecting

Post by mikeglaz »

ok thanx, that worked. But it doesn't seem to work on my onsubmit event handler of the form. I wanted it to redirect to the same place.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: button onclick not redirecting

Post by McInfo »

Isn't that what the form's action attribute is for?

May I suggest writing the application to work without JavaScript first, then add a JavaScript layer that takes over control of some of the HTML elements?

I noticed that your server appears to have Magic Quotes enabled. Modern wisdom encourages disabling Magic Quotes.

I noticed also that if I submit an HTML string through your form, it gets echoed back without being entity-encoded. That presents an opportunity for someone to run JavaScript on your page and steal your users' cookies. Of course, it's not quite that simple, but now you know that this is something that must be considered.
mikeglaz
Forum Newbie
Posts: 9
Joined: Sat Mar 26, 2011 5:36 pm

Re: button onclick not redirecting

Post by mikeglaz »

hey, thanks for all your help...I turned off magic quotes but I don't quite understand what you meant in the last paragraph.
Does it have something to do with htmlentities?

mike
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: button onclick not redirecting

Post by McInfo »

Yes. htmlentities() and htmlspecialchars() convert characters that have special meanings in HTML to the equivalent HTML entities. Once encoded, those characters will not conflict with the page's existing HTML. For example, a browser interprets a raw less-than sign "<" as the first character of an HTML tag. However, it interprets the encoded string "<" as an entity and displays the decoded less-than sign on the page.

The alternative (not encoding) could allow a user to inject HTML into your page, even <script> tags. The browser doesn't treat the injected HTML any different because it all comes from your server.

A malicious person could host a form on his server and direct submissions to the same script that processes submissions from your form. By convincing a user who is logged into your site to use his form, the person could run JavaScript on your page to collect the user's cookies and transmit them back to his server. The person might then have access to the user's account and all of the included privileges.
Post Reply