Keeping form elements in place after redirect

Discussion in 'HTML' started by Chris, Nov 21, 2007.

  1. Chris

    Chris Guest

    I have a form that is processed by a php page and then redirected by
    the same php page back to the form page again.

    After the page has redirected back it clears the data entered in the
    form's textfield and combo selections. Is there a simple way of
    mainting the user's text/selections after the form has been
    redirected?

    Cheers,

    Chris
     
    Chris, Nov 21, 2007
    #1
    1. Advertisements

  2. Chris wrote (a question for a php group):
    ...as you would do if there were errors or omissions in the filled-in
    form.
    You have to send back the values and re-display them.

    Example:
    $contactname = $_POST['contactname'];
    $email = $_POST['email'];

    ........

    <div>
    <p>Your name:</p>
    <label><input type="text" name="contactname" size="30"
    value="<?php echo "$strcontact";?>"></label>
    </div>
    <div>
    <p>Your email address:</p>
    <label><input type="text" name="email" size="30"
    value="<?php echo "$stremail";?>"></label>
    </div>
     
    Beauregard T. Shagnasty, Nov 21, 2007
    #2
    1. Advertisements

  3. Chris

    Bone Ur Guest

    Well bust mah britches and call me cheeky, on Wed, 21 Nov 2007 19:57:57 GMT
    Chris scribed:
    Use session variables, but do so carefully.
     
    Bone Ur, Nov 22, 2007
    #3
  4. Gazing into my crystal ball I observed Chris <matchett123
    @googlemail.com> writing in @c30g2000hsa.googlegroups.com:
    Is the form posting to itself? If it is, you _should_ have those values
    already available, and just show them. If not, then you are going to
    have to put those values into a querystring or session variables, and
    read them that way. A form posting to itself, and not _redirecting_ to
    itself is a lot easier.
     
    Adrienne Boswell, Nov 22, 2007
    #4
  5. Absolutely.

    <form id="frmcontact" method="post" action="<?php echo
    $_SERVER['PHP_SELF']?>">
     
    Beauregard T. Shagnasty, Nov 22, 2007
    #5
  6. Chris

    BootNic Guest

    $_SERVER['SCRIPT_NAME'] would be a better option over $_SERVER['PHP_SELF']
     
    BootNic, Nov 22, 2007
    #6
  7. I see they return identical results. Is there a reason you think
    SCRIPT_NAME is better? I'm willing to listen, though I've been using
    PHP_SELF for many years.

    http://us3.php.net/reserved.variables

    'PHP_SELF'
    The filename of the currently executing script, relative to the document
    root. For instance, $_SERVER['PHP_SELF'] in a script at the address
    http://example.com/test.php/foo.bar would be /test.php/foo.bar. The
    __FILE__ constant contains the full path and filename of the current
    (i.e. included) file.

    'SCRIPT_NAME'
    Contains the current script's path. This is useful for pages which need
    to point to themselves. The __FILE__ constant contains the full path and
    filename of the current (i.e. included) file.
     
    Beauregard T. Shagnasty, Nov 22, 2007
    #7

  8. http://www.google.com/search?hl=en&...ult&cd=1&q=PHP_SELF+xss+vulnerability&spell=1
    PHP_SELF xss vulnerability - Google Search
     
    Jonathan N. Little, Nov 22, 2007
    #8
  9. Chris

    BootNic Guest

    They may return the same results under some conditions.

    Jonathan has given a link for more information. He has also given an
    example in another thread

    http://groups.google.com/group/alt.html/browse_thread/thread/91253a1c3a5844 ff

    http://groups.google.com/group/alt.html/msg/b6e9aebddbae21b3
    http://example.com/test.php/foo.bar would return
    /test.php
     
    BootNic, Nov 22, 2007
    #9
  10. Most of the remarks there seem to refer to Wordpress. Is that the only
    place the vulnerability exists?

    One page said to append: /"><script>alert(1)</script>
    to your URL. "If you receive a JavaScript popup your template is
    vulnerable to this attack." None of my sites return a popup. Should I
    worry? (No Wordpress in use.)
     
    Beauregard T. Shagnasty, Nov 22, 2007
    #10
  11. Ah yes. I remember that now. Thanks.
     
    Beauregard T. Shagnasty, Nov 22, 2007
    #11
  12. No, it is PHP specific. But is also depends on the server security
    settings and magic-quotes. But if you use SCRIPT_NAME you will only get
    the script name and not anything trailing as with PHP_SELF. That way is
    some other clever bastard finds away around the escaping of the trailing
    bits it would matter because SCRIPT_NAME doesn't parse it...
     
    Jonathan N. Little, Nov 22, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.