Forcing user to new page in php. (PHP newbie)

Hello I'm a newbie web programmer. My background is writing Windows applications with sql.

I'm putting together my 1st data entry screens in Php.

I have a search form that links to a form that displays records in a grid. On each row of the grid I have a delete url to allow the user to remove a record. This links to a form delete.php (which calls the sql to remove the record).

Ideally I would like to automati开发者_运维问答cally take the user back to the search form rather than forcing the user to click on a link to do so.

I have used ob_start with the header to do this elsewhere but cannot get it to work on this page. Is there another way to do it?

(Using php 5 as part of LAMP) file delete.php

<?php 
$id = $_GET['recordID'];
//ob_start();
require_once('connections/local.php'); 

mysql_select_db($database_local, $local);

mysql_query("DELETE FROM user_access WHERE id = {$id}") or die(mysql_error());
echo("Record ".$id." deleted");
echo("<br>");
//header("location:http://localhost/search7.htm);
//ob_flush();
echo("<a href=\"http://localhost/search7.htm\">Search for Members</a>");

?>

Firstly you've got a SQL injection problem. Always sanitize your form input:

$id = mysql_real_escape_string($_GET['recordID']);

Second, you can use the header() method to redirect the user:

header('Location: http://localhost/search7.htm');

but you can only do this if you haven't sent any output to the user. For this reason you'll often see people using output buffers to give them the option of doing an HTTP redirect. For this reason I find a function like this helpful:

function redirect($url) {
  while (ob_end_clean()) {
    // do nothing
  }
  header("Location: $url");
}

So you can then do this:

<?php
ob_start();
echo "...some html...";
header('Location: /new/url.html'); // this will fail
redirect('/new/url.html'); // this will succeed
...

If you want to display a page temporarily try outputting something like this:

<html>
<head>
  <meta http-equiv="refresh" content="15; url=http://localhost/search7.htm">
  <title>Delete Record</title>
</head>
<body>
  <p>You have deleted a record.</p>
  <a href="http://localhost/search7.htm"><<< Back</a>
</body>

This will automatically redirect the user back after 15 seconds if they don't click the back link before then.

When you send a Location header, there's no reason to echo anything to the browser, so you might as well exit() immediately:

<?php 
$id = mysql_real_escape_string($_GET['recordID']);
require_once('connections/local.php'); 
mysql_select_db($database_local, $local);

mysql_query("DELETE FROM user_access WHERE id = '$id'") or die(mysql_error());

header("Location: http://localhost/search7.htm");
exit();
?>

IMPORTANT: You are also vulnerable to SQL injection (fixed above via mysql_real_escape_string)

What was wrong with this line before you commented it?

//header("location:http://localhost/search7.htm);

That forces the browser off to another page. Two other options though (both go in <head>):

• Javascript:

  <script type="text/javascript">document.location.href = "http://url";</script>
  

• Meta refresh:

  <meta http-equiv="REFRESH" content="0;url=http://url" />
  

The code you have there should work, just like cletus suggested, but you need to put//header("location:http://localhost/search7.htm); before you echo/print anything (html code, php code, etc.) in your page, because it will mean that the headers were already sent. Its better explained here.

I recommend looking into an AJAX solution. That way you can delete the record without having to ever navigate away from the search page. A good javascript library will make the operation pretty simple, and it would a fun and interesting project for someone new to web development.

Two possible improvements not mentioned in the previous answers:

1. I would suggest using POST to process your database modifications instead of GET. That way you will avoid accidental deletions if someone has some kind of a web-accelerator installed (a program that pre-fetches web-pages by following / loading all links in a page).
2. About the sql injection vulnerability problem; if you are talking about a numeric ID, I would use (int) $_GET['recordID'] or intval($_GET['recordID']) to make sure that the ID is an integer. No mysql_real_escape_string() needed.