widget Posted August 5, 2011 Share Posted August 5, 2011 Hi all, I am in need of a bit of advice on the best way to display a message on screen to a user. This is a little difficult to explain so please bare with me. I am using php5 and mysql My worry is to do with XSS etc Current Scenario My website is a pet gaming site where often a user is able to claim a free gift or prize. User clicks a button or link on Page A to claim a free gift. This redirects the user to Page B where all the magic happens and the gift is chosen and then redirects the user back to Page A without them even seeing what happened with a message of "Congrats you won a blah blah" Now my problem is, the way the message is handled. Page A Code <a href=$base_url/PageB.php>link</a> Page B Code die(header(error("PageA.php","message here"))); Result URL is $base_url/PageA.php&error=message here I am concerned that a malicious user could inject the error= variable what would be the best way to do this without having to have the information in the URL? Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 5, 2011 Share Posted August 5, 2011 Use a HTML form with a submit button and a hidden field to trigger the link. Then use POST to send the variable to the new page, thus not appearing in the URL. Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 could you please give a basic example? Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 5, 2011 Share Posted August 5, 2011 <?php //Page1 ?> <form method="post" action="page2.php"> <input type="hidden" name="prize" value="You have won a fantastic prize!!!!"> <input type="submit" name="freebie" value="Click to receive prize"> </form> <?php //page2 //check if prize button has been pressed and display message if(isset($_POST['freebie'])){ echo $_POST['prize']; } Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 thank you - that code works but I need it to redirect the user back to page A and display the message, for example at the top of the page. Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 with your example I can replicate it simply by adding die("You have won a fantastic prize!!!!"); but I don't know if this is good coding practice as I am only following what I am being shown. Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 5, 2011 Share Posted August 5, 2011 so amend to the following <?php //Page1 if(isset($_POST['choose'])){ echo $_POST['message']; } ?> <form method="post" action="page2.php"> <input type="hidden" name="prize" value="You have won a fantastic prize!!!!"> <input type="submit" name="freebie" value="Click to receive prize"> </form> <?php //page2 //check if prize button has been pressed and display message if(isset($_POST['freebie'])){ //code to choose prize } ?> <form method="post" action="page1"> <input type="hidden" name="message" value="<?php echo $_POST['prize']; ?>"> <input type="submit" name="choose" value="Click here to confirm prize"> <?php } To be honest though, you don't actually need to pass the message through the URL in this instance, you can just change pages and then if the submit butons have been pressed, test for that and then display a message. You shouldn't use die in that context. Very bad practice Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 this works but I was looking for a way to auto redirect them back to PageA and not have them click a button but after lots of reading I think this is impossible. Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 what's your opinion on using javascript such as... <script type="text/javascript"> function myfunc () { var frm = document.getElementById("foo"); frm.submit(); } window.onload = myfunc; </script> Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 5, 2011 Share Posted August 5, 2011 Not Impossible you just need to put a timed redirect onto page 2. and assign the $_POST variables to a $_SESSION variable <?php //page2 session_start(); //check if prize button has been pressed and assign message to session variable if(isset($_POST['freebie'])){ $_SESSION['message']=$_POST['prize'] } ?> <head> <meta http-equiv="refresh" content="10; url=page1.php"> </head> <?php //Page1 session_start(); //check if session variable is set if(isset($_SESSION['message'])){ // display message echo $_SESSION['message']; //clear variable unset($_SESSION['messge']); } ?> <form method="post" action="page2.php"> <input type="hidden" name="prize" value="You have won a fantastic prize!!!!"> <input type="submit" name="freebie" value="Click to receive prize"></form> Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 hmm I have to go out for a bit but will try this as soon as I am back - I have never gotten into sessions before so should be interesting. Thanks Quote Link to comment Share on other sites More sharing options...
widget Posted August 5, 2011 Author Share Posted August 5, 2011 eh I dont understand it - think I will move on to another alternative Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 5, 2011 Share Posted August 5, 2011 What don't you understand? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.