#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    24
    Rep Power
    0

    Go back to orginal php page after insert


    Hi all.

    I have the 3 following php files (Lookup.php, LookupResults.php and convertjobtype.php).

    Lookup.php
    PHP Code:
    <?php 
       header
    ("Cache-Control: private, must-revalidate, max-age=0");
      
    header("Pragma: no-cache");
      
    header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // A date in the past
        // First we execute our common code to connection to the database and start the session 
        
    require("common.php");

    if(!
    $_SESSION['user']){
     
    header("Location: index.php");
     exit();
    }


    $smt1 $db1->prepare('SELECT DISTINCT FieldSuperDataEntry.BuilderCommunityID,Builder, Community FROM BuilderCommunity INNER JOIN FieldSuperDataEntry ON BuilderCommunity.BuilderCommunityID = FieldSuperDataEntry.BuilderCommunityID   WHERE UserID = :user_id ORDER BY Builder, Community');

          
    $smt1->execute(array(':user_id' => $_SESSION['user']['userid']));
          
    $data1 $smt1->fetchAll();
         
        
    $_SESSION['action_token'] = generate_secure_token(); 
    ?> 

    <!DOCTYPE html>
    <head>
      <title>Web App</title>
      <meta http-equiv="content-type" content="text/html; charset=utf-8" />
      <link rel="stylesheet" href="style.css" type="text/css" />
      <link href="iphone-icon1.png" rel="apple-touch-icon">
      <script>

    function ReloadPage() {
    if ((/iphone|ipod|ipad.*os 6/gi).test(navigator.appVersion)) {
    window.onpageshow = function(evt) {
    if (evt.persisted) {
    document.body.style.display = "none";
    location.reload();
    }
    };
    }
    }    
    </script>
    </head>
    <body onload="ReloadPage()">
    <div class="wrapper">
        <div id="logo"></div>
        <form class="form4" action="LookupResults.php" method="post">
    <div class="formtitle4">Lookup</div>

                
               
                <div class="input3">
                     <div class="inputtext">Builder/Community:</div>           
                         <div class="inputcontent" ><select name="BuilderCommunity" id="BuilderCommunity" style="width: 250px"><option selected="selected"></option>    
                    
                    <?php foreach($data1 as $row) { printf("<option value='%s'>%s --- %s </option>"html_escape($row['BuilderCommunityID']), html_escape($row['Builder']), html_escape($row['Community'])); }?>
                         </select></div>
                    </select>
                    <br>
                    <br>
                    <br>
                 </div> 
                    <div class="inputtext">Lot:</div> 
                    <div class="inputcontent" ><input name="lot" id="lot" input type="text" />
                   
                    </div>
                    
                    <div class="inputtext">Block:</div>
                   <div class="inputcontent" >

                        <input name="block" id="block" input type="text" />

                    </div>
                   
             <div class="input nobottomborder">                
             </div>          
                            
                
            <input type="hidden" name="action_token" value="<?php echo html_escape($_SESSION['action_token']) ?>" />
     
         
                <div class="buttons" align = center>

                    <input class="button1"  type="submit" value="Lookup"/>
                    <input class="button1"  type="submit" formaction="Menu.php" value="Menu" /> 

            
                </div>


    </form>
    </body>
    </html>
    LookupResults.php

    PHP Code:
    <?php 
       
       
    require("common.php");
           
        if (isset(
    $_SESSION['user'])){   // check session
         
          
    if (isset($_POST)) {  //This if statement checks to determine whether the form has been submitted, If it has, then the code is run, otherwise the form is displayed  
               
    if (isset($_POST['action_token']) && isset($_SESSION['action_token']) && $_POST['action_token'] == $_SESSION['action_token']) {      // check request token
                 
            
            
    $query "SELECT DataEntryID, FieldSuperDataEntry.BuilderCommunityID, Builder, Community,Lot, Block,Latitude, Longitude,Type,jobtypedescription, UserID, CreateDate FROM FieldSuperDataEntry INNER JOIN BuilderCommunity ON FieldSuperDataEntry.BuilderCommunityID = BuilderCommunity.BuilderCommunityID INNER JOIN JobType ON JobType.jobtypeid = FieldSuperDataEntry.Type WHERE FieldSuperDataEntry.BuilderCommunityID = :buildercommunityid AND Lot = :lot AND Block = :block AND UserID = :userid ";
            
            
    $query_params = array( 
                
    ':buildercommunityid' => $_POST['BuilderCommunity'], 
                
    ':lot' => $_POST['lot'], 
                
    ':block' => $_POST['block'], 
                
    ':userid' => $_SESSION['user']['userid']
                
                );   
         
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
                
    $data $stmt->fetchAll();
        
           
    // unset the form token session variable 
              
    unset( $_SESSION['action_token'] );
            
           }    
    // Close check request token
          
           
    else {        // possible CSRF attempt 
                
    echo 'invalid submission'
                
    trigger_error('possible CSRF attack'E_USER_ERROR);    
                exit; 
            } 
          
          }  
    // Close isset($POST) if statement    
        
    // Close check session
        
        
    $_SESSION['action_token1'] = generate_secure_token();    

    ?> 
    <!DOCTYPE html>
    <head>
      <title>Web App</title>
      <meta http-equiv="content-type" content="text/html; charset=utf-8" />
      <link rel="stylesheet" href="style.css" type="text/css" />
      <link href="iphone-icon1.png" rel="apple-touch-icon">
                     <script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false"></script>
                          <script type="text/javascript" src="js/map.js"></script>
      </head>
    <body>
                          
    <div class="wrapper">
        <div id="logo"></div>
        <form class="form4" action="convertjobtype.php" method="post">
    <div class="formtitle4">Slab/Dried In Lookup Form</div>

                
               
              <div class="input3">
                     <div class="inputtext">Builder:</div>           
                     <div class="inputcontent" >   
                        <?php  foreach($data as $row){ echo '<input type="text" name="builder" id="builder" value="' html_escape($row['Builder']) . '">'; } ?>                          
                     </div>
                             
                     <div class="inputtext">Community:</div>           
                     <div class="inputcontent" >   
                        <?php  foreach($data as $row){ echo '<input type="text" name="community" id="community" value="' html_escape($row['Community']) . '">'; } ?>                          
                     </div>
                             
                   <div class="inputtext">Lot:</div>
                   <div class="inputcontent" >
                        <?php  foreach($data as $row){ echo '<input type="text" name="lot" id="block" value="' html_escape($row['Lot']) . '">'; } ?>           
                   </div>
                    
                   <div class="inputtext">Block:</div>
                   <div class="inputcontent" >
                        <?php  foreach($data as $row){ echo '<input type="text" name="block" id="block" value="' html_escape($row['Block']) . '">'; } ?>           
                   </div>
                                  
              </div>  
                
              <div class="input3">
                           <div class="inputtext">Job Type:</div>
                   <div class="inputcontent" >
                        <?php  foreach($data as $row){ echo '<input type="text" name="jobtype" id="jobtype" value="' html_escape($row['jobtypedescription']) . '">'; } ?>           
                   </div>
                   <?php if ($row['Type'] == 1) {
                   echo 
    '<input class="button5"  type="submit" value="Convert to Dried In"/><p></p>'; } ?>              
               
              </div>
                            
                <div id="map"></div>

                <div class="input nobottomborder"></div>
                
            <input type="hidden" name="action_token1" value="<?php echo html_escape($_SESSION['action_token1']) ?>" />
     
           <?php  foreach ($data as $row){
            echo
    ' <input type="hidden" input name = "DataEntryID" input id = "DataEntryID" value="' html_escape($row['DataEntryID']) . '">';
            echo
    ' <input type="hidden" input name = "BuilderCommunityID" input id = "BuilderCommunityID" value="' html_escape($row['BuilderCommunityID']) . '">';              
            echo
    ' <input type="hidden" input name = "Lat" input id = "Lat" value="' html_escape($row['Latitude']) . '">';              
            echo
    ' <input type="hidden" input name = "Long" input id = "Long" value="' html_escape($row['Longitude']) . '">'
            echo
    ' <input type="hidden" input name = "type" input id = "type" value="' html_escape($row['Type']) . '">';              
            echo
    ' <input type="hidden" input name = "UserID" input id = "UserID" value="' html_escape($row['UserID']) . '">';              
            echo
    ' <input type="hidden" input name = "CreateDate" input id = "CreateDate" value="' html_escape($row['CreateDate']) . '">';              
             }
    ?>
             
             
                <div class="buttons" align = center>

                    <input class="button1"  type="submit" formaction="Lookup.php" value="Search" /> 
                    <input class="button1"  type="submit" formaction="Menu.php" value="Menu" /> 

            
                </div>
         
                

    </form>
    </body>
    </html>
    convertjobtype.php

    PHP Code:
    <?php 

        
    // First we execute our common code to connection to the database and start the session 
        
    require("common.php");
        
       
        if (isset(
    $_SESSION['user'])){   // check session
         
          
    if (isset($_POST)) {  //This if statement checks to determine whether the form has been submitted, If it has, then the code is run, otherwise the form is displayed  
               
    if (isset($_POST['action_token1']) && isset($_SESSION['action_token1']) && $_POST['action_token1'] == $_SESSION['action_token1']) {      // check request token
                   
                  
    $date = new DateTime();
                  
    $date->setTimezone(new DateTimeZone('America/New_York'));
                  
    $fdate $date->format('Y-m-d H:i:s');
                  
    $date2 = new DateTime();  // This date and time variable will be used to display it to the end user as 3:50 PM but it will be saved in the table as a 24 hour format in $fdate
                  
    $date2->setTimezone(new DateTimeZone('America/New_York'));
                  
    $fdate2 html_escape($date2->format('m/d/Y h:i:s A'));              
              
            
    $query 
                INSERT INTO JobTypeHistory ( 
                    DataEntryID,
                    BuilderCommunityID, 
                    Type,
                    UserID,
                    OriginalDateTime
                ) VALUES ( 
                    :dataentryid,
                    :buildercommunityid, 
                    :type,
                    :originaluserid,
                    :originaldatetime
                ) 
            "
    ;                 
          
            
    $query_params = array( 
                
    ':dataentryid' => $_POST['DataEntryID'], 
                
    ':buildercommunityid' => $_POST['BuilderCommunityID'], 
                
    ':type' =>$_POST['type'],
               
    // ':userid' => $_SESSION['user']['userid'] ,
                
    ':originaluserid' => $_POST['UserID'] ,
                
    ':originaldatetime' => $_POST['CreateDate']
            ); 
                 
                
                
    $stmt $db->prepare($query); 
                
    $result $stmt->execute($query_params); 
               
            
           
    /*** unset the form token session variable ***/
            
    unset( $_SESSION['action_token1'] );
            
    header('Location: LookupResults.php');        
            exit();
           }
          
           else {        
    // possible CSRF attempt 
                
    echo 'invalid submission'
                
    trigger_error('possible CSRF attack'E_USER_ERROR);    
                exit; 
            } 
          
          }      
        } 
    ?>

    There are some cases where we want to convert the job type, when that happens I want to be able to insert the original data into a history table (which I do in the convertjobtype.php file), but after that file runs, I want to be able to go back to the LookupResults.php that shows the original data. But I am unable to do so because when it gets to the line of code in the convertjobtype.php file:

    PHP Code:
    header('Location: LookupResults.php');       
    exit(); 
    instead of taking me back to the LookupResults.php page I get the error:
    invalid submission
    Fatal error: possible CSRF attack in /home/content/12/11231812/html/LookupResults.php on line 32

    which is the code:

    PHP Code:
     else {        // possible CSRF attempt 
                
    echo 'invalid submission'
                
    trigger_error('possible CSRF attack'E_USER_ERROR);    
                exit; 
            } 
    How can I get back to my LookupResults.php page where my original data is after I complete what needs to be done in convertjobtype.php? Note, convertjobtype.php runs correctly and inserts the data into the history table as it's supposed to.

    Thank you in advance.
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,296
    Rep Power
    9400
    Given that LookupResults.php doesn't take any actions, I think it would be quite reasonable to make it accept values through $_GET and the URL rather than $_POST and a form. Then your redirect can provide the values in the URL that it redirects to.

    And if you do that you don't need to worry about CSRFs so that whole thing can go away.

IMN logo majestic logo threadwatch logo seochat tools logo