Digitizer Posted August 28, 2014 Share Posted August 28, 2014 (edited) Hello, I am recently starting to have this problem. I have a script which send variables in header back to index based on If/Else conditions, But if condition change, the sent headers in URL bar dont get cleared but they get added. My code is as follows index.php // The usernames are stored in array named $username, e-g $username = array(); foreach($username as $user){ // Display div if password is not correct or success if(isset($_GET['action']) && $_GET['user'] == $user){ $action= $_GET['action']; echo "<div class='error'>".$lang[$action]."</div>"; } // display form for login echo (" <div class='divBlock'> <form name='doStuff' method='post' action='checkin.php'> <input type='hidden' name='username' value=".$user." <input type='password' name='password' /> <input type='submit' name='submitLogin' /> "); </div> } and my checkin.ph file contains if(isset($_POST['submitLogin'])){ $username = $_POST['username']; $password = $_POST['password']; $getSavedPass = mysql_query("SELECT * FROM passwords WHERE username='$username'"); //not using while loop as only one row will be returned $showSavedPass = mysql_fetch_array($getSavedPass); $savedPassword = $showSavedPass['password']; // If passwords match if($password == $savedPassword){ header("Location: " . $_SERVER['HTTP_REFERER'] . "?action=Success&user=".$username); } else { header("Location: " . $_SERVER['HTTP_REFERER'] . "?action=PASSWORD_INCORRECT&user=$username"); } } I have rewritten script here in simple format and using mysql_*, I am gonna stay with it for a while and I am not using escape_strings as it is just practice, not any production thing. How can I fix it? I will be very thankful to you Edited August 28, 2014 by Digitizer Quote Link to comment https://forums.phpfreaks.com/topic/290713-variables-sent-by-header-not-getting-cleared/ Share on other sites More sharing options...
ginerjm Posted August 28, 2014 Share Posted August 28, 2014 (edited) Forgiving you all the laziness in your coding practices to date, I ask "What happens when password <> savedpassword"? You don't go that far but that seems to be the problem. 1 - don't use MySQL. Stop trying to learn it. 2 - Always sanitize user input and don't use them directly in queries 3 - Don't save a password value in a db without encrypting it. And a personal tip: Since php is a case sensitive language try not to use both upper and lower case letters in your var names. It will only cause you trouble as you go on when you accidentally mis-type a name and then have to figure out why your code isn't working. Stick to all lowercase. Edited August 28, 2014 by ginerjm Quote Link to comment https://forums.phpfreaks.com/topic/290713-variables-sent-by-header-not-getting-cleared/#findComment-1489206 Share on other sites More sharing options...
Jacques1 Posted August 28, 2014 Share Posted August 28, 2014 You somehow assume that the referrer only contains the base URL without the query part, but it contains the full URL including all parameters. So you can't just append your own parameters. Using the referrer generally isn't a good idea, because it's not reliable at all. It may be missing entirely (depending on the client's browser), or it may point to some unknown site (if that's where the request comes from). Why not simply submit the form to the same script that renders the form? Then you can skip all the complicated message passing and redirecting. I have rewritten script here in simple format and using mysql_*, I am gonna stay with it for a while and I am not using escape_strings as it is just practice, not any production thing. What do you practice then? Writing bad, obsolete code? Quote Link to comment https://forums.phpfreaks.com/topic/290713-variables-sent-by-header-not-getting-cleared/#findComment-1489210 Share on other sites More sharing options...
Digitizer Posted August 28, 2014 Author Share Posted August 28, 2014 (edited) Forgiving you all the laziness in your coding practices to date, I ask "What happens when password <> savedpassword"? You don't go that far but that seems to be the problem. 1 - don't use MySQL. Stop trying to learn it. 2 - Always sanitize user input and don't use them directly in queries 3 - Don't save a password value in a db without encrypting it. And a personal tip: Since php is a case sensitive language try not to use both upper and lower case letters in your var names. It will only cause you trouble as you go on when you accidentally mis-type a name and then have to figure out why your code isn't working. Stick to all lowercase. Thanks for the tip brother, Humbly answering, 1. I have started learning mysqli_* which i personally prefer over PDO for mysqli_* being almost similar in syntax and can enter my (nowadays) rusted out mind 2. I have learnt about sanitizing but since i am writing codes on local xampp server, i dont feel necessary to use them atm. (no offence) 3. I usually use md5 hash for passwords, but this code was, as i said, just a hint out of what I was facing in processing. 4. if password is <> savedPassword, the "else" section will handle this. or shall I use "xor" for such comparison? 5. I am very much used to write variables in Camel format (ever since i started learning programming), so this is not an issue for me that I will miss :/ (just saying) What do you practice then? Writing bad, obsolete code? Let me confess, that I am a messy lazy a$$ programmer who dont even know anything about OOP, even after practicing it for a little while, i dont even know how so called exampled "setName" and "getName" functions work. Well, I am trying hard, 1. to get organized 2. build patterns in coding 3. lets start learn mysqli and start moving to OOP approach rather than a messy programming. If you ever saw my style of writing, if you require i can pass you this whole script for you to take a look, but nothing will happen and I will find you once day looking for me with a chainsaw in your hands.. lolzz.. Edit: The problem has always been that I never went to any school college to learn programming. It was my passion, and has been ever since when I used to bunk school and sit in an internet cafe reading sources of HTML pages back in 2000 so i could learn something off it.. then I moved to PHP... and digging my way out real slow with online turorials and finally landed here with you guys. So before I offend you with my non-pro style of writing, just think once that i have been able to learn with minimal resources and it is my passion that brought me until here... and will take me forward Edited August 28, 2014 by Digitizer Quote Link to comment https://forums.phpfreaks.com/topic/290713-variables-sent-by-header-not-getting-cleared/#findComment-1489212 Share on other sites More sharing options...
ginerjm Posted August 29, 2014 Share Posted August 29, 2014 (edited) Might be time to invest in a modern PHP programming book that covers the whole range of php programming. Perhaps one that includes sql too so that you may see how to safely build query statements. Check out the bookstores near you for some titles and then post them here for some reaction, if you can. Or maybe this post will trigger some recommendations immediately. The reason we are all suggesting that you do things differently is to enforce some good practices upon you - which you yourself state that you wish to do too. So Do It! IMHO - I think that PDO is the way to go. #1 - it is not that hard to pick up - there are some very good examples in the php manual. #2 - once I did it I started to read posts that informed me that it is a more generalized db interface that can work with non-MySQL systems. Big plus! Make sure that you write you db connection code in its own little script and then simply include that with a dbname as a parameter to be able to use it in all your future scripts. (The include will connect using your universal uid/pswd as well as do a select of your db.) You may not have the credentials of a 'school/university' diploma but you are making inroads on a technology all by yourself. Keep going as you are ( or faster) and who knows what you can do? Edited August 29, 2014 by ginerjm Quote Link to comment https://forums.phpfreaks.com/topic/290713-variables-sent-by-header-not-getting-cleared/#findComment-1489232 Share on other sites More sharing options...
Digitizer Posted August 30, 2014 Author Share Posted August 30, 2014 (edited) @ginerjm: Thanks a lot my friend. Your post in real became something i cant just explain... I will do PDO, and I will do it fast and I will do it organized... and when I step up in proficiency levels, the credit will go to you try{ $db = new PDO("mysql:host=localhost;dbname=thanksginerjm;charset=utf8", 'itsMe','mypass'); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); } catch(PDOException $exp){print $exp;} $name = 'ginerjm'; $msg = 'Thanks Man'; // Send thanks $getData = $db->exec("INSERT INTO thethanks(name,msg) VALUES ('$name','$msg')"); // Receive Thanks $getData = $db->query("SELECT * FROM thethanks"); echo $countRows = $getData->rowCount(); foreach($getData as $row){ echo "Received by" . $row['name'] . ": " . $row['msg']; } This is dedicated to you, my first ever code after a basic practice Edited August 30, 2014 by Digitizer Quote Link to comment https://forums.phpfreaks.com/topic/290713-variables-sent-by-header-not-getting-cleared/#findComment-1489353 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.