Jump to content

Submit button doesn't refresh the page


mjxs

Recommended Posts

Hey everyone. I'm new here and let me apologize if I am reposting a question; I've looked through the forums for a while and can't seem to find anything similar.

 

I'm using Jono Bacon's "Practical PHP and MySQL with Applications" and working my way through his blog project. All seems good and well, but I got to the part about submitting new comments on blog posts. When I click the submit button, it should post the various information to the MySQL database. It does this, but the submit button doesn't refresh the page. It does submit the mysql query, so if I manually reload, the new comment shows up, but the submit button doesn't cause the page to refresh automatically.

 

Below is my code. Any help is greatly appreciated.

 

<?php

require("config.php");

if(isset($_GET['id']) == TRUE) {

if(is_numeric($_GET['id']) == FALSE) {
	$error = 1;
}

if($error == 1) {
	header("Location: " . $config_basedir);
}else{
	$validentry = $_GET['id'];
}

}else{
$validentry = 0;
}

//check to see if this page is being loaded as the result of a comment being submitted

if($_POST['submit']){
$db = mysql_connect($dbhost, $dbuser, $dbpassword); //appears to return a pointer to the database
mysql_select_db($dbdatabase, $db);

$sql = "INSERT INTO comments(blog_id, tier, replyto, dateposted, name, comment) VALUES(" . $validentry . ", 1, 0, NOW(), '" . $_POST['name'] . "', '" . $_POST['comment'] . "');";
mysql_query($sql);
header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry);
}else{
//code goes here
}

require("header.php");

if($validentry == 0) {
$sql = "SELECT entries.*, categories.cat FROM entries, categories WHERE entries.cat_id = categories.id ORDER BY dateposted DESC LIMIT 1;";
}else{
$sql = "SELECT entries.*, categories.cat FROM entries, categories WHERE entries.cat_id = categories.id AND entries.id = " . $validentry . " ORDER BY dateposted DESC LIMIT 1;";
}


$result = mysql_query($sql);

$row = mysql_fetch_assoc($result);
echo "<h2>" . $row['subject'] . "</h2><br>";
echo "<i>In <a href='viewcat.php?id=" . $row['cat_id'] . "'>" . $row['cat'] . "</a> - Posted on " . date("D jS F Y g.iA", strtotime($row['dateposted'])) . "</i>";
echo "<p>";
echo nl2br($row['body']);
echo "</p>";

//form the SQL; we only want top level comments as these are relpies to the post itself
$commsql = "SELECT * FROM comments WHERE blog_id = " . $validentry . " AND tier = 1 ORDER BY dateposted DESC;";

//now send the query
$commresult = mysql_query($commsql);

//now count how many comments we have
$num_commrows = mysql_num_rows($commresult);

echo "<div id='comment'>";
if ($num_commrows == 0) {
echo "<p><i>No comments.</i></p>";
}else{
$i = 0;

//the take the result and put it into an array - use this as the sentinel control
while($commrow = mysql_fetch_assoc($commresult)) {
	//first set up the formatting tag. Build a table
	echo "<table><tr class='commentinfo'><td class='commentauthor'>";

	//post the comment info; name and date
	echo "<a name='comment" . $i . "'>";
	echo "Comment by " . $commrow['name'] . "</a></td>";

	//next cell, put the date on the far right
	echo "<td class='commentdate'>";
	echo  date("D jS F Y g.iA", strtotime($commrow['dateposted'])) . "</td></tr><tr><td class='commentbody' colspan=2>";

	echo $commrow['comment'];

	echo "</td></tr>";

	//stick in the reply button;

	echo "<tr class='commentoptions'><td colspan=2>[reply]</td></tr>";


	echo "</table>";

	//now we stick in relpies to the comments
	$repsql = "SELECT * FROM comments WHERE blog_id = " . $validentry . " AND tier = 2 AND replyto = " . $commrow['id'] . " ORDER BY dateposted DESC;";
	$represult = mysql_query($repsql);
	$num_reprows = mysql_num_rows($represult);

	if ($num_reprows > 0) {
		$j = 0;

		//the take the result and put it into an array - use this as the sentinel control
		while($reprow = mysql_fetch_assoc($represult)) {
			//first set up the formatting tag. Build a table
			echo "<table style='margin-left:50px;'><tr class='commentinfo'><td class='commentauthor'>";

			//post the comment info; name and date
			echo "Comment by " . $reprow['name'] . "</td>";

			//next cell, put the date on the far right
			echo "<td class='commentdate'>";
			echo  date("D jS F Y g.iA", strtotime($reprow['dateposted'])) . "</td></tr><tr><td class='commentbody' colspan=2>";

			echo $reprow['comment'];

			echo "</td></tr>";

		echo "</table>";
		}
	}

	$i++;
}
}
	//close off the div tag
	echo "</div>";
?>

<h3>Leave a comment</h3>

<form action="<?php echo $_SERVER['SCRIPT_NAME'] . "?id=" . $validentry; ?>" method="post">
<table>
	<tr>
		<td>Your name:</td>
		<td><input type="text" name="name"></td>
	</tr>
	<tr>
		<td>Comments:</td>
		<td><textarea name="comment" rows="10" cols="50"></textarea></td>
	<tr>
		<td></td>
		<td><input type="submit" name="submit" value="Add comment"></td>
	</tr>
</table>
</form>

<?php

require("footer.php");

?>

Link to comment
Share on other sites

so you're saying that when you click the submit button, it doesn't refresh the screen at all? or just the actual page that your tables are on?

 

Correct. The page stays completely static, as if the button, it does nothing.

 

But if I manually refresh the new comments are there.

Link to comment
Share on other sites

so you're saying that when you click the submit button, it doesn't refresh the screen at all? or just the actual page that your tables are on?

 

Correct. The page stays completely static, as if the button, it does nothing.

 

But if I manually refresh the new comments are there.

 

 

It sounds like the MySQL insert is happening later than expected. Maybe the insert is happening after the code where you get the list of comments. Have you tried adding debugging code throughout the script to see if things are executing as expected?

 

For example, you can make sure the $validentry is set to the value you expect by doing something like this:

 

if(isset($_GET['id']) == TRUE) {
     //...
}else{
     $validentry = 0;
}

echo $validentry;

 

 

You can see if the form is being submitted by doing something like:

 

if($_POST['submit']){
     echo 'here';

 

 

If the code works as expected, keep moving throughout the code until you hopefully find the bug.

Link to comment
Share on other sites

Well, $validentry must be the right value otherwise the rest of the code would fall apart (since it's used to determine what post a new comment is attached to, and the comments DO work the page just doesn't refresh). Nonetheless, I still inserted the code as you suggest and sure enough it is the right value.

 

The SQL injection is literally the first thing that happens. I also noted that the bracket ("}") in the else condition where it says "//code goes here" was supposed to be just before the call for footer.php so I changed that. However, it still doesn't update the page.

 

I used your suggestion for an echo call after the $_POST['submit'] condition but since the page doesn't refresh, it doesn't even get to that point. I know that header() will fail if any information is processed on the client-side before that call is executed but I can't see anywhere where anything, even whitespace, would be sent to the client; since it is injecting data to my mySQL database, I know it is getting into that part of the if statement, but for some reason, the clicking of that button just isn't causing the browser to reload the page.

 

I'm wondering if this could have something to do with browser caching issues? I'm going to try it in IE but if anyone has any additional suggestions, by all means, please help.

Link to comment
Share on other sites

Apologies for the double post.

 

I just changed this line:

 

header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry);

 

to

 

header("Location: http://www.google.com/");

 

And sure enough, now when I submit a comment, I get redirected to google. So why isn't my page refreshing and how can I fix it? Is there something wrong with the header() code?

 

UPDATE:

 

I stuck the following line in:

 

echo "<h1>HTTP_HOST: " . $HTTP_HOST . "<BR>SCRIPT_NAME: " . $SCRIPT_NAME . "<BR>validentry: " . $validentry;

 

and I got this:

 

Notice: Undefined variable: HTTP_HOST in C:\xampp\htdocs\blog\viewentry.php on line 47

 

Notice: Undefined variable: SCRIPT_NAME in C:\xampp\htdocs\blog\viewentry.php on line 47

 

I'm taking a wild guess that these variables or this syntax is deprecated?

Link to comment
Share on other sites

Aha.

 

The culprit? This:

 

header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry);

 

Needed to be this:

 

header("Location: http://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'] . "?id=" . $validentry);

 

I guess the syntax for predefined variables must have changed some time after the publication of the manual I'm using. Either way, I've spent years working with and debugging C, Java and VB, but php is clearly an all-new sort of monster in this sense.

 

None the less, thanks for all your help and hopefully I didn't waste too much of this board's time. I'll try to keep the n00b issues to a minimum  ;)

Link to comment
Share on other sites

Aha.

 

The culprit? This:

 

header("Location: http://" . $HTTP_HOST . $SCRIPT_NAME . "?id=" . $validentry);

 

Needed to be this:

 

header("Location: http://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'] . "?id=" . $validentry);

 

I guess the syntax for predefined variables must have changed some time after the publication of the manual I'm using. Either way, I've spent years working with and debugging C, Java and VB, but php is clearly an all-new sort of monster in this sense.

 

None the less, thanks for all your help and hopefully I didn't waste too much of this board's time. I'll try to keep the n00b issues to a minimum  ;)

wow yeah, didn't even notice that, dumb of me...those variables are stored in the $_SERVER predefined array. Glad you found your error

Link to comment
Share on other sites

Maybe you're already aware of this, but your code is currently susceptible to MySQL injection attacks. You may want to take a look at the following article:

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

 

And become familiar with the mysql_real_escape_string() function:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

 

Also, I've never used $_SERVER['SCRIPT_NAME'] so I'm not sure if it has the same problems as $_SERVER['PHP_SELF']:

http://www.mc2design.com/blog/php_self-safe-alternatives

Link to comment
Share on other sites

the reason why $_SERVER['PHP_SELF'] poses such an issue as far as injection is concerned, is because it incorporates $_SERVER['PATH_INFO'] which can be tampered with by users. To my knowledge, $_SERVER['SCRIPT_NAME'] does not incorporate PATH_INFO, however I would check a reference before being confident

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.