PHP $_POST[] not void after redirect

I'm opening myself to honest critizism and sugggestions.

The issue is with the function $_POST[void] being valid after a redirect. Quotes.add.php is a form that directs to quotes.done.php, submitted to mysql and redirected back to quotes.add.php with an echo $msg and reset to be filled out again.

Is header(); the best m开发者_如何学Cethod in this case?

quotes.done.php

else{
    include 'data.php';
    $query = "INSERT INTO quotes (`id`, `quotes`, `artist`, `date`) VALUES ('null', '$_POST[text]', '$_POST[artist]', 'null')"; 
    $result = mysql_query($query) or die (mysql_error());

    $_POST['void'] = "$_POST[artist] Was Added Successfully to database";   
    unset ($_POST['artist']);       

    //var_dump($_POST['void']);
    //exit;             
    header ("location: quotes.add.php");
    exit;   
} 

quotes.add.php

if (isset($_POST['void'])) {
    $msg = $_POST['void'];  
}else{
    $msg = "Please insert artist";      
}   

If you do a redirect i think you have to use $_SESSION. I'd do:

session_start();
$_SESSION['msg'] =  "$_POST[artist] Was Added Successfully to database";
header ("location: quotes.add.php");
exit;  

and then

session_start();
if (isset($_SESSION['msg'])) {
    $msg = $_SESSION['msg'];  
    unset($_SESSION['msg'];
}else{
    $msg = "Please insert artist";      
}    

This is the clean, proper, and secure way to do it:

quotes.done.php

<?php
else{
    include 'data.php';

    // escape the input, to avoid SQL injection
    $text   =   mysql_real_escape_string($_POST['text']);
    $artist =   mysql_real_escape_string($_POST['artist']);

    $query  = "INSERT INTO quotes (`id`, `quotes`, `artist`, `date`) VALUES ('null', '{$text}', '{$artist}', 'null')";
    $result = mysql_query($query);

    // always set your variables to a default value
    $success = false;

    // did the query execute successfully?
    if($result){
        $success = true;
    }

    header('Location: quotes.add.php?result=addedquote&amp;artist='.urlencode($_POST['artist']).'&amp;success='.urlencode($success));
    exit;
}
?>

quotes.add.php

<?php
$msg = '';
if(isset($_GET['result']) && $_GET['result'] == 'addedquote') {
    $artist     =   htmlentities(urldecode($_GET['artist']), ENT_QUOTES, 'UTF-8', false);
    $success    =   (bool) urldecode($_GET['success']);
    if($success){
        $msg = "$artist Was Added Successfully to database";
    } else{
        $msg = "Failed to Add $artist to database";
    }
} else{
    $msg = "Please insert artist";      
}
?>

A couple of things for you to note here:

1. If you are not using a wrapper for running your db queries with prepared parameterized statements, you should use at least mysql_real_escape_string() to remove the nasty stuff in order to prevent SQL injection.

2. As noted by others header() will do a GET request, hence why you are not getting the $_POST[void] on the page you are redirecting. That's why you will use variables on your url to transfer them to the redirected page, and then fetch them with $_GET.

3. $_POST[somename] and $_POST['somename'] are two different things. They will work, because PHP will try to see if there is a constant named somename, if there isn't one, you are lucky, but if there is one, then all sky falls down.

If you want to keep the $_POST variables, don't redirect. A redirect causes the client's browser to re-request the page with only $_GET params.

Save the record to the database. Get the new record ID, redirect to a page and pass in the ID. Then use the ID to fetch and display the record.

Redirecting will not POST a value to the page. You could use session or GET.

$message = urlencode("$_POST[artist] Was Added Successfully to database");
header ("location: quotes.add.php?message=" . $message);

On your quotes.add.php page

echo $_GET['message'];