Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,108
    Thanks
    27
    Thanked 0 Times in 0 Posts

    Stripping off Fragment Identifier

    Here is a snippet from a Form on my Comments page...

    PHP Code:
        $survey "<form id=commentSurvey_{$subArr['commentID']} class='commentSurvey' action=\"#comment_{$subArr['commentID']}\" method='post'> 

    I added #comment_{$subArr['commentID']} to the action so if there is a data-entry error, the user is brought back to the exact place where the issue occurred.

    (Off-Topic: Yeah, I could use JavaScript, but chose not to so it is what it is...)

    Anyways, after the Form is submitted if the user hacked my hidden control and thus there is an invalid $reviewedCommentID, then I throw an error, which takes the user to an "outcome" page.


    The problem is that my Fragment Identifier from above is being tacked onto the end of my URL like this...

    Code:
    http://local.debbie/account/results.php#comment_7

    This is a concern because 1.) It is unsightly, and 2.) It is somewhat of a security risk since I am revealing the CommentID to the user.


    Is there any way to prevent the Fragment Identifier from my original POST from being tacked onto the URL after the redirect to my Outcome Page??

    Sincerely,


    Debbie

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,996
    Thanks
    79
    Thanked 4,433 Times in 4,398 Posts
    Why not ONLY add the #comment when there *IS* an error. Do it in PHP.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    New Coder
    Join Date
    Nov 2011
    Location
    Ratio, Logic
    Posts
    61
    Thanks
    3
    Thanked 6 Times in 6 Posts
    Check again this topic and than try to ask right question.

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,108
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Old Pedant View Post
    Why not ONLY add the #comment when there *IS* an error. Do it in PHP.
    I have no clue what you are saying...

  • #5
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,996
    Thanks
    79
    Thanked 4,433 Times in 4,398 Posts
    Since you are NOT doing JavaScript form validation, the only kind of error that can occur is one detected by your PHP code.

    So the PHP code can redirect the user to the current page *WITH* the appropriate #comment_xxxx attached to the base URL.

    How does it know WHICH #comment_xxxx to attach? Because you pass the xxxx in a hidden <form> field.

    Code:
    <form action=\"\" ... >
    <input type=\"hidden\" name=\"errorLocation\" value=\"#comment_{$subArr['commentID']}\" />
    ...
    </form>
    Then in your PHP code--*BEFORE* you output ANY HTML!--if you detect an error in the entry, just do
    header("Location: thisSamePage.php" . $_POST["errorLocation"])


    I don't use PHP, so this comes from just RTFM on my part. Assuming it works, you might try RTFM, too.
    Last edited by Old Pedant; 08-03-2014 at 09:56 PM.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #6
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,108
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Old Pedant,

    When a user completes the Survey Form, the Fragment Identifier is added to the URL like this...

    Code:
    http://local.debbie/management/other/postage-meters-can-save-you-money#comment_3

    While validating the $_POST data - and before any output occurs - if there is an error, I would place some error codes in the $_SESSION, and then redirect as follows...

    Code:
    	// Redirect to Outcome Page.
    	header("Location: " . BASE_URL . "/account/results.php");

    So it seems strange to me that when the error page is displayed I see something like this...

    Code:
    http://local.debbie/account/results.php#comment_3

    I would NOT expect the Fragment Identifier to carry over to my Error Page when it was in no way passed by me in either the URL or by other means...


    Follow me?

    Sincerely,


    Debbie

    P.S. Since these types of errors should in theory never occur because other code (e.g. validation) would prevent the errors from happening, it isn't the end of the world. At the same time, I like to keep my URLs (and code) clean and working 100% right, so if I could figure this glitch out it would make me sleep better!

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,996
    Thanks
    79
    Thanked 4,433 Times in 4,398 Posts
    Got me. Something strange in the way the php header() function works, I would guess. Pretty sure it doesn't happen with ASP's Response.Redirect, but not sure.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •