PHP $_POST[] not void after redirect
I'm opening myself to honest critizism and sugggestions.
The issue is with the function $_POST[void] being valid after a redirect. Quotes.add.php is a form that directs to quotes.done.php, submitted to mysql and redirected back to quotes.add.php with an echo $msg and reset to be filled out again.
Is header(); the best m开发者_如何学Cethod in this case?quotes.done.php
else{
include 'data.php';
$query = "INSERT INTO quotes (`id`, `quotes`, `artist`, `date`) VALUES ('null', '$_POST[text]', '$_POST[artist]', 'null')";
$result = mysql_query($query) or die (mysql_error());
$_POST['void'] = "$_POST[artist] Was Added Successfully to database";
unset ($_POST['artist']);
//var_dump($_POST['void']);
//exit;
header ("location: quotes.add.php");
exit;
}
quotes.add.php
if (isset($_POST['void'])) {
$msg = $_POST['void'];
}else{
$msg = "Please insert artist";
}
If you do a redirect i think you have to use $_SESSION. I'd do:
session_start();
$_SESSION['msg'] = "$_POST[artist] Was Added Successfully to database";
header ("location: quotes.add.php");
exit;
and then
session_start();
if (isset($_SESSION['msg'])) {
$msg = $_SESSION['msg'];
unset($_SESSION['msg'];
}else{
$msg = "Please insert artist";
}
This is the clean, proper, and secure way to do it:
quotes.done.php
<?php
else{
include 'data.php';
// escape the input, to avoid SQL injection
$text = mysql_real_escape_string($_POST['text']);
$artist = mysql_real_escape_string($_POST['artist']);
$query = "INSERT INTO quotes (`id`, `quotes`, `artist`, `date`) VALUES ('null', '{$text}', '{$artist}', 'null')";
$result = mysql_query($query);
// always set your variables to a default value
$success = false;
// did the query execute successfully?
if($result){
$success = true;
}
header('Location: quotes.add.php?result=addedquote&artist='.urlencode($_POST['artist']).'&success='.urlencode($success));
exit;
}
?>
quotes.add.php
<?php
$msg = '';
if(isset($_GET['result']) && $_GET['result'] == 'addedquote') {
$artist = htmlentities(urldecode($_GET['artist']), ENT_QUOTES, 'UTF-8', false);
$success = (bool) urldecode($_GET['success']);
if($success){
$msg = "$artist Was Added Successfully to database";
} else{
$msg = "Failed to Add $artist to database";
}
} else{
$msg = "Please insert artist";
}
?>
A couple of things for you to note here:
If you are not using a wrapper for running your db queries with prepared parameterized statements, you should use at least
mysql_real_escape_string()
to remove the nasty stuff in order to prevent SQL injection.As noted by others
header()
will do aGET
request, hence why you are not getting the$_POST[void]
on the page you are redirecting. That's why you will use variables on your url to transfer them to the redirected page, and then fetch them with$_GET
.$_POST[somename]
and$_POST['somename']
are two different things. They will work, because PHP will try to see if there is a constant namedsomename
, if there isn't one, you are lucky, but if there is one, then all sky falls down.
If you want to keep the $_POST variables, don't redirect. A redirect causes the client's browser to re-request the page with only $_GET params.
Save the record to the database. Get the new record ID, redirect to a page and pass in the ID. Then use the ID to fetch and display the record.
Redirecting will not POST a value to the page. You could use session or GET.
$message = urlencode("$_POST[artist] Was Added Successfully to database");
header ("location: quotes.add.php?message=" . $message);
On your quotes.add.php page
echo $_GET['message'];
精彩评论