issue with form method get on next page, would like for people to not see the initial page unless they hit the submit button
I have two PHP files.
The first is called "file1.php":
<form action="file2.php" method="get">
<input type="hidden" name="price" value="50">
<input type="hidden" name="id" value="1">
<input type="submit" border="0" name="submit" value="Buy Now">
</form>
The second is called "file2.php":
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="text" id="id" name="id" value="<?php echo $_GET["id"]; ?>" alt="<?php echo $_GET["price"]; ?>" readonly="readonly" />
</form>
Now here's my issue:
Some people may look at the source of the page on file1.php and try visiting file2.php. I would want them to be automatically redirected the file1.php or not be able to see file2.php UNLESS they have clicked the submit button from file1.php.
Also some people might try erasing the data was sent from the GET method from the previous page (file1.php), to be able to view file2.php, is there a way to block this from happening? I wouldn't want it to show开发者_高级运维 a 404 error, but simply redirect the person to the file1.php page unless they click on one of the submit buttons from file1.php as there are many forms.
I believe this might have something to do with PHP require to be placed on file2.php, but not quite sure how to get it working properly.
Any ideas?
EDIT (below)
Thank you everyone so far for all your help and advice.
Alright, so everything seems to be working now using the form method POST. However, to get this working, we must list all variables for each template. Each template has 4 variables. 2 IDs and 2 prices. In example:
$T900_0001_R_ID = "#900-0001 - Regular";
$T900_0001_R = 75;
$T900_0001_E_ID = "#900-0001 - Exclusive";
$T900_0001_E = 500;
Now, my next question is: how do we convert this code to be used into a MySQL database instead, as there will be hundreds, and maybe thousands of templates to sold within just the next few weeks?
See the updated files that are working (without MySQL):
file1.php:
<?php
$T900_0001_R_ID = "#900-0001 - Regular";
$T900_0001_R = 75;
$T900_0001_E_ID = "#900-0001 - Exclusive";
$T900_0001_E = 500;
echo "<form action='test2.php' method='post'><input type='hidden' name='template_price' value='" . $T900_0001_R . "'><input type='hidden' name='template_id' value='" . $T900_0001_R_ID . "'><input type='submit' class='buynow' border='0' name='submit' value='Buy Regular'></form>";
?>
file2.php:
<?php
$T900_0001_R_ID = "#900-0001 - Regular";
$T900_0001_R = 75;
$T900_0001_E_ID = "#900-0001 - Exclusive";
$T900_0001_E = 500;
echo "<form><input type='text' id='template_id' name='template_id' value='" . $_POST["template_id"] . "' alt='" . $_POST["template_price"] . "' readonly='readonly' class='input-text sum' /></form>";
?>
People might do a lot of things. They might take the values from file1.php and POST them. Or POST things to try to break your program.
The best thing you can do is validate your parameters to make sure they have the values you expect before you execute various commands.
In your example you could validate that price is a number:
if( isset($_POST['price'] ) && is_numeric($_POST['price'] ) ) {
// process
}
else {
//redirect to file1.php or show an error
}
However it does look like you're posting the price of an item through the form. If you're worried about someone viewing the source, why aren't you worried about someone changing the value of the price? It's a trivial thing to do. My code above wouldn't prevent it. You'd have to check to make sure the posted price is the actual price of the item, but if you're doing that why do you need to post it from the form in the first place?
So check for submit (i would advise switching the method on file1.php to post)
In file2.php:
if(count($_POST)){ //0 is false, any other number true
//do stuff
}
else {
header('Location: file1.php');
}
I would make the first page a post, then on the second file check the post:
if(isset($_POST['id'] && $_POST['price']) {
// Display second form
} else {
header('Location: http://www.example.com/');
}
On the top of file2.php
<?php
if(!isset($_GET['id']) && !isset($_GET['price'])) {
header('Location: file1.php');
die();
}
?>
On the edit
Except that I don't like questions to be edited in a very other direction, you have to first create a database table. It will look like
ID type price
1 e 500
1 r 75
2 e 250
2 r 50
加载中,请稍侯......
精彩评论