Minimeallolla Posted November 25, 2010 Share Posted November 25, 2010 <form name="commentbox" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table border="0"> <textarea name="comment" cols="20" rows="2" onclick="document.commentbox.comment.value='';" onfocus="this.style.borderColor='yellow';" onblur="this.style.borderColor='blue';" />Comment...</textarea> </td></tr> $commentcheck = $_POST['comment']; if ($commentcheck == "Comment...") { die(' <META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=index.php\"> '); }else why does this not refresh if i comment "Comment..." it just dies and doesnt echo anything Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2010 Share Posted November 25, 2010 Get rid of the <?php echo $_SERVER['PHP_SELF'] ?> in the action attribute of the form tag. It is a known XSS vulnerability. Also, note that you have php code in the html that is not enclosed in <?php ?> tags. Quote Link to comment Share on other sites More sharing options...
Minimeallolla Posted November 25, 2010 Author Share Posted November 25, 2010 ok so i got rid of the php self and it was just an outake from my whole code.. here it is <div id="mydiv"> <a href="javascript:;" onmousedown="if(document.getElementById('mydiv').style.display == 'block') { document.getElementById('mydiv').style.display = 'block'; } else{ document.getElementById('mydiv').style.display = 'none'; }">Hide/Show comments</a> <div class='navbar'><br> <?php include ("database.php"); $query = ("SELECT * FROM homecomments"); $result = mysql_query("SELECT * FROM homecomments"); while($row = mysql_fetch_array($result)) { include ("echocomments.php"); } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { $check = mysql_query("SELECT active FROM users WHERE active ='1' AND username='$username'") or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 != 1) { die('You are not allowed to comment untill your account is activated.'); }else{ $comment = mysql_real_escape_string(stripslashes(trim($_POST['comment']))); $username = mysql_real_escape_string(stripslashes(trim($_COOKIE['ID_my_site']))); $usercheck = ( $_COOKIE['ID_my_site'] ); $commentcheck = $_POST['comment']; $check = mysql_query("SELECT * FROM homecomments WHERE comment = '$commentcheck' AND username = '$usercheck'") or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 != 0) { die('Anti Spam has detected multiple comments posted.'); }else{ if ($commentcheck == "Comment...") { die(' <META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=index.php\"> '); }else{ // now we insert it into the database $insert = "INSERT INTO homecomments (username, comment) VALUES ('$username', '$comment')"; $add_member = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=index.php\">"; } } } } } ?> <br> <p> <center> <form name="commentbox" method="post"> <table border="0"> <textarea name="comment" cols="20" rows="2" onclick="document.commentbox.comment.value='';" onfocus="this.style.borderColor='yellow';" onblur="this.style.borderColor='blue';" />Comment...</textarea> </td></tr> <tr><th colspan=2><input type="submit" name="submit" value="Submit"> <colspan=2><input type="submit" name="refresh" value="Refresh"></th></tr> </table> </form><br /> </div></div> <a href="javascript:;" onmousedown="if(document.getElementById('mydiv').style.display == 'none') { document.getElementById('mydiv').style.display = 'block'; } else{ document.getElementById('mydiv').style.display = 'none'; }">Hide/Show comments</a> <br> Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2010 Share Posted November 25, 2010 I didn't mean to remove the entire action tag. It should be simply action="" when you're submitting a form to itself. Quote Link to comment Share on other sites More sharing options...
Minimeallolla Posted November 25, 2010 Author Share Posted November 25, 2010 ok, it still didnt do anything ): <form name="commentbox" action="" method="post"> Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2010 Share Posted November 25, 2010 As I said in your other thread, handling errors with die() is a bad way of doing things, but since you insist, your quoting and quote escapement is off. die('<META HTTP-EQUIV="Refresh" CONTENT="1"; URL="index.php">'); // AND // echo '<META HTTP-EQUIV="Refresh" CONTENT="1"; URL="index.php">'; Quote Link to comment Share on other sites More sharing options...
Minimeallolla Posted November 25, 2010 Author Share Posted November 25, 2010 sorry but could you please elaborate? and if you are the person that said to use echo instead of die, as i said, echo allows the php to execute when it is not intended. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2010 Share Posted November 25, 2010 Killing the script with die() prevents html that is needed for proper structure from echoing also. Therein lies the problem with using die() for handling errors rather than controlling the script with conditionals. If I had a script that consisted of header.html, body.php, and footer.html files, and it was set up like this: // body.php <?php include( 'header.html' ); if( $problem === TRUE ) { die('Oh noes! There was a problem!'); } include( 'footer.html' ); When the script is killed, it not only prevents php code from running, it prevents the rest of the html from being presented, leaving the document incomplete. These types of problems are best handled with conditionals so the mere fact that an error occurred doesn't have to crater everything, and make a mess of the output.[/code] Quote Link to comment Share on other sites More sharing options...
JakeTheSnake3.0 Posted November 30, 2010 Share Posted November 30, 2010 Would it not be easy to just echo the variable to see what it's currently holding? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.