Page 1 of 1
button onclick not redirecting
Posted: Tue Apr 05, 2011 12:03 am
by mikeglaz
Can someone tell me why my 'Close' button doesn't redirect?
http://www.mikeglaz.com/wujek/manage.ph ... 0Hut&id=34
I have the following code for the 'Close' button:
Code: Select all
echo "<input type=\"button\" value=\"Close\" onclick=\"header(\"Location: manage.php?location=$location\")\">";
Re: button onclick not redirecting
Posted: Wed Apr 06, 2011 4:18 pm
by McInfo
You are mixing PHP and JavaScript.
PHP can use strings containing JavaScript, but the server doesn't understand or execute them. They are just strings. JavaScript that PHP writes will be interpreted and executed by the browser.
Likewise, JavaScript can use strings containing PHP code, but they are meaningless as instructions unless they are sent back to the server to be evaluated and executed there (very bad idea).
header() is a PHP function. In JavaScript, you redirect by giving the location property of the window object (window.location) a string containing the URI you want to go to.
Code: Select all
<input type="button" onclick="window.location='manage.php?location=art';" value="Close" />
Always make sure variable strings that you echo will not conflict with the surrounding HTML. Use htmlentities() to make your strings HTML-friendly.
Re: button onclick not redirecting
Posted: Wed Apr 06, 2011 11:42 pm
by mikeglaz
ok thanx, that worked. But it doesn't seem to work on my onsubmit event handler of the form. I wanted it to redirect to the same place.
Re: button onclick not redirecting
Posted: Thu Apr 07, 2011 6:28 pm
by McInfo
Isn't that what the form's action attribute is for?
May I suggest writing the application to work without JavaScript first, then add a JavaScript layer that takes over control of some of the HTML elements?
I noticed that your server appears to have Magic Quotes enabled. Modern wisdom encourages
disabling Magic Quotes.
I noticed also that if I submit an HTML string through your form, it gets echoed back without being entity-encoded. That presents an opportunity for someone to run JavaScript on your page and steal your users' cookies. Of course, it's not quite that simple, but now you know that this is something that must be considered.
Re: button onclick not redirecting
Posted: Fri Apr 08, 2011 5:55 pm
by mikeglaz
hey, thanks for all your help...I turned off magic quotes but I don't quite understand what you meant in the last paragraph.
Does it have something to do with htmlentities?
mike
Re: button onclick not redirecting
Posted: Fri Apr 08, 2011 7:08 pm
by McInfo
Yes. htmlentities() and htmlspecialchars() convert characters that have special meanings in HTML to the equivalent HTML entities. Once encoded, those characters will not conflict with the page's existing HTML. For example, a browser interprets a raw less-than sign "<" as the first character of an HTML tag. However, it interprets the encoded string "<" as an entity and displays the decoded less-than sign on the page.
The alternative (not encoding) could allow a user to inject HTML into your page, even <script> tags. The browser doesn't treat the injected HTML any different because it all comes from your server.
A malicious person could host a form on his server and direct submissions to the same script that processes submissions from your form. By convincing a user who is logged into your site to use his form, the person could run JavaScript on your page to collect the user's cookies and transmit them back to his server. The person might then have access to the user's account and all of the included privileges.