Page 1 of 1

Sending data from one page to another after validation

Posted: Wed Nov 21, 2012 10:29 am
by dharmeshb
Hello,
I have a login page that has the form as well as the validation on the same page. I use "POST" as my method to post to self as below

login.php

Code: Select all

<?php
       if($_SERVER['REQUEST_METHOD'] == 'POST'){
              if(form data is valid){
                     header('Location: userrecords.php');
              }else{
                     display error messages on the login form
              }
       }
?>

<form method="POST" action="login.php"></form>
But, when if the login is valid and the header redirects to userrecords.php than the page uses $_SERVER['REQUEST_METHOD'] == 'GET'.

Will this cause security concerns?

How can I use "POST" method to be sent to userrecords.php page as well?

Please help.

Thanks.

Re: Sending data from one page to another after validation

Posted: Wed Nov 21, 2012 11:49 am
by requinix
You don't. Not unless you make a form that posts (with or without user intervention) to that second page, but that's almost never the right solution.

This is a login page, yes? To log someone in store validated user information in the session - username and/or user ID may be enough. Then check for that information in subsequent pages. If it's there then the user is logged in (and you can know who they are) otherwise they're not and you probably want to send them to the login page.

Re: Sending data from one page to another after validation

Posted: Sat Nov 24, 2012 11:28 am
by dharmeshb
Thanks requinix. That helped.

Re: New QUESTION regarding FORM VALIDATION and SUBMISSION

Posted: Thu Nov 29, 2012 7:04 pm
by dharmeshb
I have another question regarding Form validation and submission.

I am not able to figure out if there is a better way to do this
I have the following pages to perform an Edit - usersView.php and usersEdit.php

usersView.php - This page lists all the current registered users. It has edit/delete buttons next to each row. Eg
No. | Name |------ Email---|------|---------|
1----|User1 | abc@abc.com| Edit | Delete |
Each row has a hidden input field that holds the id for each record

When I click Edit I am taken to usersEdit.php
This form populates the fields based on the id passed from usersView.php

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
               $id = $_POST['id'];
               $firstname = value pulled from database based on id;
               $firstnameedited = $_POST['firstnameEditBox'];

// When I submit the form below I want to validate the field
               if($firstnameedited != empty){
                              $firstnameedited is valid;
                              updateFirstName($firstnameedited);
                              header('Location: usersView.php');
                              exit();
               }
               else{
                              Show errors on the form;
               }
<form method="POST" action="usersEdit.php">
 <input type="text" name="firstnameEditBox" value="<?php echo $firstname; ?>"/>
<button type="Submit" name="userEditBttn">Submit</button>
</form>
My problem is the POST method from usersView.php and POST method from usersEdit.php
When I go to usersEdit.php I get an error saying undefined index firstnameEditBox. I know why the error is but I don't know how to solve it without creating another page called usersUpdate.php and changing the form action on usersEdit.php to usersUpdate.php

Is there a way without using isset($_POST['userEditBttn'])?

I read at many places that even though isset($_POST) is widely used, it is not best practice because users may use enter key to submit

Please advise.

Thanks.

Re: Sending data from one page to another after validation

Posted: Thu Nov 29, 2012 8:38 pm
by requinix
Is there a way to do it other than the most popular and easiest way to do it? Probably, but it's unpopular and a harder way to do it, and I'm blanking on what it even is.

I personally wouldn't have used a POST just to get to the page where you edit a user. Technically speaking that should be a normal GET. And if the delete page has a confirmation first then the same applies there: a GET to arrive at the page, then a POST to perform the delete.

Re: Sending data from one page to another after validation

Posted: Thu Nov 29, 2012 8:50 pm
by dharmeshb
I am guessing that the most popular and easiest way that you are referring to is isset($_POST), correct? Using GET would be unsafe since it will show the id in the URL, correct? Or is it safe to send id via GET?

Re: Sending data from one page to another after validation

Posted: Thu Nov 29, 2012 9:48 pm
by requinix
isset($_POST["name of the submit button"])

Tells you whether that button was the one that submitted the form. Or similarly, insert a hidden field in the form that merely indicates the form was submitted (but if you do that you might as well just use the button).

As for "safety", if you put the ID number anywhere - the form or the URL - it's immediately unsafe. A form is no safer than the URL. But that's okay as long as you verify that the user requesting the page is authorized for it. When you do that it doesn't matter where the ID comes from.

Re: Sending data from one page to another after validation

Posted: Thu Nov 29, 2012 9:56 pm
by dharmeshb
You mean the form is unsafe even though the id is in a hidden field? Also, will the isset work if the user doesn't click the button but presses ENTER key?

Re: Sending data from one page to another after validation

Posted: Thu Nov 29, 2012 10:10 pm
by requinix
Totally (most browsers today actually let you modify page HTML on-the-fly) and yes (it's the fact that the button was used to submit the form, not that the button was clicked).

Re: Sending data from one page to another after validation

Posted: Thu Nov 29, 2012 10:19 pm
by dharmeshb
Thanks a bunch. That helps.