header: location

[Zironako]

Hello,

For a school project we have made a very simple Jquery mobile website. In this website you can create "Quick Links" that will put them in a list for you. The website is running and is doing good. However, there is one tiny problem. After you have added a link we made it that you will be redirected to the main page using the code:

 

if($result){
  header("location: /index.php/");

 

This works great, but it will keep the /voegtoe.php in the url when you are at the index.php which results in you not being able to click anything because the systsem is confused. Does anyone have any solutions that will resolve this and just redirect it so that the user will go to index.php?

 

Thanks in advance.

 

[DaveyK]

I dont think you need the extra slash '/'. Just to summarize, this code:

 

 

if($result) {
header("Location: /index.php");
 

will infact give this url:

 

/index.php/voegtoe.php

 

?

[Zironako]

Yes. This is the website;

 

http://quicklink.radiusict.nl/

 

If you add a link you can see what happens. I added the / just as a try .

[DaveyK]

I see. Can you show the script that handles the creation of links, particularly the lines around the redirect?

 

Also, you dont just have this issue with adding/creating links, its also occuring on editing/removing them.

[Zironako]

<?php 
		if (isset($_POST['submit'])){
			$name = $_POST['name'];
			$url = $_POST['url'];
			if($name == "" || $url == ""){
				echo "Vul a.u.b. alle velden in.";
			}else{
				$sql = "INSERT INTO links SET url_name='".$name."', url='".$url."'";
				$result = mysql_query($sql);
				if($result){
					header("location: /index.php/");
				}else{
					echo "Uw link is niet opgeslagen, probeer het opnieuw.";
				}
			}
		}
		
		?>

 

Yeah that uses the same code for the redirect.

[DaveyK]

Can't say I see anything wrong with it... the redirect at least. However, I would use something like this:

 

if($result){
header("Location: /index.php");
  exit();

I dont know if it makes a difference, but I dont see why you shouldnt give it a shot.

 

On a side note....

For security sake, dont ever use a variable in a query without at least validating it. You can read more about validation on php.net, look into mysql_real_escape_string() as well as htmlentities(), like such:

 

 

$name = mysql_real_escape_string(htmlentities($_POST['name']));
$url = mysql_real_escape_string(htmlentities($_POST['url']));

[Zironako]

Unfortunantly that doesn't resolve the issue. Thank you for the tips though, will take that in account for next projects .

[Zironako]

Probleem opgelost! We moesten ervoor zorgen dat het Ajax negeert met data-ajax="false". Dank voor de hulp!

[DaveyK]

remember, english

 

you still use the exit(); after a redirect and validate the variable you use in queries

[Christian F.]

Also, I would just like to point out that input validation doesn't necessarily help against SQL injections. For that you have to use the proper output escaping method, which is either *real_escape_string () or Prepared Statements. I recommend the latter, using the PDO or MySQLI libraries, as that handles the escaping for you.

 

Secondly: htmlspecialchars and htmlentities should never be used prior to adding data to the database. They are HTML escaping functions, which means that you should only use them immediately before sending content to the browser. Also, htmlentities escapes far more than necessary for HTML, and as such htmlspecialchars is the one you should use.

 

The correct order of processing data from a user is as follows:

• Validate data.
• Show validation errors, if necessary.
• Process the data (business logic).
• Escape and send to the correct third party system (browser or database, most likely).

[DaveyK]

My whole life was a lie. Well, everyone has their methods

 

EDIT: But I trust Christians method > my method. Just expressing my concern