Variables sent by header not getting cleared

[Digitizer]

Hello,

I am recently starting to have this problem. I have a script which send variables in header back to index  based on If/Else conditions, But if condition change, the sent headers in URL bar dont get cleared but they get added. My code is as follows

 

index.php

// The usernames are stored in array named $username, e-g $username = array();
foreach($username as $user){

// Display div if password is not correct or success
if(isset($_GET['action']) && $_GET['user'] == $user){
  $action= $_GET['action'];
  echo "<div class='error'>".$lang[$action]."</div>";
}

// display form for login
 echo ("
   <div class='divBlock'>
    <form name='doStuff' method='post' action='checkin.php'>
       <input type='hidden' name='username' value=".$user."
       <input type='password' name='password' />
       <input type='submit' name='submitLogin' />
    ");
   </div>
}

and my checkin.ph file contains

if(isset($_POST['submitLogin'])){
   $username = $_POST['username'];
   $password = $_POST['password'];

   $getSavedPass = mysql_query("SELECT * FROM passwords WHERE username='$username'");
   //not using while loop as only one row will be returned
   $showSavedPass = mysql_fetch_array($getSavedPass);
   $savedPassword = $showSavedPass['password'];

   // If passwords match
   if($password == $savedPassword){
      header("Location: " . $_SERVER['HTTP_REFERER'] . "?action=Success&user=".$username);
   } else {
      header("Location: " . $_SERVER['HTTP_REFERER'] . "?action=PASSWORD_INCORRECT&user=$username");
   }
}

I have rewritten script here in simple format and using mysql_*, I am gonna stay with it for a while and I am not using escape_strings as it is just practice, not any production thing.

 

How can I fix it? I will be very thankful to you

Edited August 28, 2014 by Digitizer

[ginerjm]

Forgiving you all the laziness in your coding practices to date, I ask "What happens when password <> savedpassword"?  You don't go that far but that seems to be the problem.

 

1 - don't use MySQL.  Stop trying to learn it.

2 - Always sanitize user input and don't use them directly in queries

3 - Don't save a password value in a db without encrypting it.

 

And a personal tip: Since php is a case sensitive language try not to use both upper and lower case letters in your var names.  It will only cause you trouble as you go on when you accidentally mis-type a name and then have to figure out why your code isn't working.  Stick to all lowercase.

Edited August 28, 2014 by ginerjm

[Jacques1]

You somehow assume that the referrer only contains the base URL without the query part, but it contains the full URL including all parameters. So you can't just append your own parameters.

 

Using the referrer generally isn't a good idea, because it's not reliable at all. It may be missing entirely (depending on the client's browser), or it may point to some unknown site (if that's where the request comes from).

 

Why not simply submit the form to the same script that renders the form? Then you can skip all the complicated message passing and redirecting.

 

 

 

I have rewritten script here in simple format and using mysql_*, I am gonna stay with it for a while and I am not using escape_strings as it is just practice, not any production thing.

 

What do you practice then? Writing bad, obsolete code? 

[Digitizer]

Forgiving you all the laziness in your coding practices to date, I ask "What happens when password <> savedpassword"?  You don't go that far but that seems to be the problem.

 

1 - don't use MySQL.  Stop trying to learn it.

2 - Always sanitize user input and don't use them directly in queries

3 - Don't save a password value in a db without encrypting it.

 

And a personal tip: Since php is a case sensitive language try not to use both upper and lower case letters in your var names.  It will only cause you trouble as you go on when you accidentally mis-type a name and then have to figure out why your code isn't working.  Stick to all lowercase.

Thanks for the tip brother, Humbly answering,

1. I have started learning mysqli_* which i personally prefer over PDO for mysqli_* being almost similar in syntax and can enter my (nowadays) rusted out mind

2. I have learnt about sanitizing but since i am writing codes on local xampp server, i dont feel necessary to use them atm. (no offence)

3. I usually use md5 hash for passwords, but this code was, as i said, just a hint out of what I was facing in processing.

4. if password is <> savedPassword, the "else" section will handle this. or shall I use "xor" for such comparison?

5. I am very much used to write variables in Camel format (ever since i started learning programming), so this is not an issue for me that I will miss :/ (just saying)

 

What do you practice then? Writing bad, obsolete code? 

Let me confess, that I am a messy lazy a$$ programmer who dont even know anything about OOP, even after practicing it for a little while, i dont even know how so called exampled "setName" and "getName" functions work. Well, I am trying hard,

 

1. to get organized

2. build patterns in coding

3. lets start learn mysqli and start moving to OOP approach rather than a messy programming.

 

If you ever saw my style of writing, if you require i can pass you this whole script for you to take a look, but nothing will happen and I will find you once day looking for me with a chainsaw in your hands.. lolzz..

 

Edit: The problem has always been that I never went to any school college to learn programming. It was my passion, and has been ever since when I used to bunk school and sit in an internet cafe reading sources of HTML pages back in 2000 so i could learn something off it.. then I moved to PHP... and digging my way out real slow with online turorials and finally landed here with you guys. So before I offend you with my non-pro style of writing, just think once that i have been able to learn with minimal resources and it is my passion that brought me until here... and will take me forward

Edited August 28, 2014 by Digitizer

[ginerjm]

Might be time to invest in a modern PHP programming book that covers the whole range of php programming.  Perhaps one that includes sql too so that you may see how to safely build query statements.  Check out the bookstores near you for some titles and then post them here for some reaction, if you can.  Or maybe this post will trigger some recommendations immediately.

 

The reason we are all suggesting that you do things differently is to enforce some good practices upon you - which you yourself state that you wish to do too.  So Do It!

 

IMHO - I think that PDO is the way to go.  #1 - it is not that hard to pick up - there are some very good examples in the php manual.  #2 - once I did it I started to read posts that informed me that it is a more generalized db interface that can work with non-MySQL systems.  Big plus!  Make sure that you write you db connection code in its own little script and then simply include that with a dbname as a parameter to be able to use it in all your future scripts.  (The include will connect using your universal uid/pswd as well as do a select of your db.)

 

You may not have the credentials of a 'school/university' diploma but you are making inroads on a technology all by yourself.  Keep going as you are ( or faster) and who knows what you can do?

Edited August 29, 2014 by ginerjm

[Digitizer]

@ginerjm: Thanks a lot my friend. Your post in real became something i cant just explain... I will do PDO, and I will do it fast and I will do it organized... and when I step up in proficiency levels,  the credit will go to you

try{
   $db = new PDO("mysql:host=localhost;dbname=thanksginerjm;charset=utf8", 'itsMe','mypass');
   $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $exp){print $exp;}


$name = 'ginerjm';
$msg = 'Thanks Man';

// Send thanks
$getData = $db->exec("INSERT INTO thethanks(name,msg) VALUES ('$name','$msg')");

// Receive Thanks

$getData = $db->query("SELECT * FROM thethanks");
echo $countRows = $getData->rowCount();
foreach($getData as $row){
   echo "Received by" . $row['name'] . ": " . $row['msg'];
}

This is dedicated to you, my first ever code after a basic practice

Edited August 30, 2014 by Digitizer