Geek Answers Handbook

I'm confused in PHP Post / Redirect / Get

In an article on preventing the republishing of a PHP form, I read the following:

(Not quoting) This may be a page that receives form data, for example, called form.php:

<form action="submit.php"> <input type="text" name="user" required /> <input type="password" name="pass" required /> <input type="submit" value="Log in" /> </form>

The page that will process the POST data will therefore be called "submit.php". If the login was correct, this code will work:

 header('Location: /login/form.php?success=true');

However, could the user simply go to the above URL? Also, what is the purpose of the GET variable? Could I just have a script in form.php that checks if the user is logged in?

In submit.php, save the username registered as $ _ SESSION ['username'] and then check if isset () exists in form.php? Also, since the URL with โ€œsuccessโ€ in it is not very good, is it economical to redirect the user again? Should I use PHP header () or Javascript window.location.href? As you can see, I'm a little confused.

Thanks for any help.

+7
source share
4 answers

However, could the user simply go to the URL above?

Yes, he can. It will not cause anything bad though.

Also, what is the purpose of the GET variable?

To have some flag that reflects the fact that the form was successfully processed, and you need to congratulate the user.

Can I just have a script in form.php that checks if the user is logged in?

Uhm, you can save your code the way you like . There are no strong requirements.

In submit.php, save the username registered as $ _SESSION ['username'], and then check if isset () exists in form.php?

If you need to save it in the current session - yes, do it.

Also, since the URL with โ€œsuccessโ€ in it is not very good, is it economical to redirect the user again?

Redirect to. Redirecting is a pretty cheap thing.

Should I use PHP header () or Javascript window.location.href?

You should definitely do this in php, otherwise you will run into problems that you are trying to avoid after the PRG way.

+5
source

PRG or Post / Redirect / Get is just a template that you can use to prevent messages from appearing. How you use it in detail (and the article makes only a general proposal) depends on your needs.

Whether you want to flag the success flash message inside a cookie or session or get variable is entirely up to you. The second redirect will not help you, you will find out that if you play with it.

The only important part is that after you receive the POST request, you will be redirected. The user can then move back and forth in the story without requesting to resend the POST data.

The template works and is great. Just two days ago, I did it again, and the weppapp step-by-step installer was much nicer to navigate the browser interface.

About your redirect

This code is incorrect:

 header('Location:/login/form.php?success=true');

First of all, you need to have a space after the colon:

 header('Location: /login/form.php?success=true');

Then the address must be an absolute URI, it must contain the full URL:

 header('Location: http://example.com/login/form.php?success=true');

Next to header() you must provide the body of the message in accordance with the RFC, many so-called "web developers" do not even know:

 $url = 'http://example.com/login/form.php?success=true'; header(sprintf('Location: %s', $url)); printf('<a href="%s">Moved</a>.', $url); exit;

Do not forget to go out. Undoubtedly, to pretty much rethink the wheel, instead install the PHP HTTP extension and simply run the following line:

 http_redirect('/login/form.php?success=true');

You will find that a great helper is here .

Recall: it is important that you redirect after posting. Everything else, like passing a variable, is entirely up to you how you would like to do this.

+2
source

Yes, you should never rely on the GET variable (or even the hidden POST variable) to say: "Sure let me in, I'm a real user!".

Personally, I would strip the GET information from the link and rely solely on session variables. Do not forget to put "session_start ();" as the first line of code if you use PHP to activate the session.

For submit.php:

 <?php session_start(); if ($_POST['user'] && $_POST['pass']) { // Make sure both variable are set if (your_method) { // Code to check if the user and pass are valid however you plan $_SESSION['user'] = $_POST['user']; $_SESSION['loggedin'] = time(); } } header('Location: form.php'); // Either way, pass or fail, return to form.php exit(); ?>

Then in form.php:

 <?php session_start(); $activeuser = false; if ($_SESSION['user'] && $_SESSION['loggedin'] < (time()+600)) { // Check if the user exists and the last access was with in 10 minutes. $_SESSION['loggedin'] = time(); // If so, keep them up to date! $activeuser = true; } if ($activeuser) { // whatever should show to someone logged in } else { // Show log in form } ?>

In addition, you already know this, but the default submission method is GET, so it is not necessary to specify the method = "post" in the form tag.

It is usually best to use header () to redirect if necessary, as Javascript is the client side and can be avoided, which could upset your intentions for your site to function.

+1
source

The main idea of โ€‹โ€‹POST / REDIRECT / GET, since the article you are referring to is to avoid sending data to users again (most of the time). As a rule, you donโ€™t want the same POST (with exactly the same data) to happen twice - indeed, in some situations, it may eventually perform some action (for example, charge a credit card) for the second time, which it would be bad.

Most of the questions you ask about in your question are implementation details (for example, sending a request parameter for success in a redirect).

In practice, what usually happens is that you redirect to success . If, for example, user input has not passed validation, you do not redirect, but instead re-display the form along with the corresponding error messages.

Here is a basic example, all in one script. I tried to include only what is important, with as little extraneous material as possible.

login.php

 <?php /** * ensure user supplied both username & password * @return mixed true or an array of error messages */ function validate_login_values($vars){ $errors = array(); if (empty($vars['username'])) $errors[] = 'You must supply a username, genius.'; if (empty($vars['password'])) $errors[] = 'You must supply a password, dummy.'; if (empty($errors)) return true; return $errors; // $errors must be an array. } if (! empty($_POST)){ $validationResults = validate_login_values($_POST); if ($validationResults === true){ // assume here that authenticate properly escapes it arguments before sending them // to the database. if (authenticate($_POST['username'],$_POST['password'])){ //GREAT SUCCESS! The user is now logged in. Redirect to home page header("Location: /"); die(); } $errors[] = 'Invalid username/password. Try again, slim"; }else{ $errors = $validationResults; // validate_login_values created errors. } } ?> <h1>Log In, Friend!</h1>] <?php //display errors, if there were any if (! empty($errors)): ?> <div class="errors">Something went horribly wrong: <ul><?php foreach($errors as $e) echo "<li>$e</li>"; ?></ul> <div> <?php endif; ?> <form method="POST"> <!-- //username, password, and submit --> </form>
+1
source

More articles:


All Articles