0

I have looked at some of the other posts made on similar topics but I cannot follow what they are instructing.

Basically my problem is this, I want to redirect to the main log in page of my website after a successful password reset has happened.

Here is what I have so far:

if (isset($_POST['Resetpw'])) {
    if ($query == $_GET['token'] & $_POST['password'] == $_POST['confirmed_password']) {
        $passwordTest = $_POST['password'];

        $result = mysql_query("SELECT `tempTicket` FROM users WHERE `username` = '" . $_POST['username'] . "'limit 1;");
        $query = mysql_fetch_array($result);
        mysql_query("UPDATE users SET `tempPass` = '$passwordTest' WHERE `username` = '" . $_POST['username'] . "'  ");
        echo '<div class="success">Password successfully changed!</div> ';
        //header("Location: www.google.com");
        //exit;

This is all within a function, the commented out part is where I want to redirect to my webpage.

So to wrap it up, can I force the function to redirect to the start page after a function finishes. I am using KISSMVC framework for this project if that matters.

Aziz Shaikh
  • 16,245
  • 11
  • 62
  • 79
Zach M.
  • 1,188
  • 7
  • 22
  • 46
  • 4
    Please stop writing new code with the ancient `mysql_*` functions. They are no longer maintained and community has begun the [deprecation process](http://news.php.net/php.internals/53799). Instead you should learn about prepared statements and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you care to learn, [here is a quite good PDO-related tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers). – Madara's Ghost Apr 30 '12 at 18:54
  • 1
    As long as there is no output before the function is called, there is no problem with doing what you want (i.e. remove the echo). Having said that, you should read about [SQL injection](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php). – cmbuckley Apr 30 '12 at 18:54
  • 1
    Oh no, SQL Injection! At least use `mysql_real_escape_string()`, or even better, switch to PDO as others suggested. Your code is insecure and fragile right now. – kapa Apr 30 '12 at 18:55

4 Answers4

3

You should remove the echo before the redirect.

What you have commented out should work if you use the full path, e.g.: http://google.com.

Another thing: you should really drop the use of mysql_* functions (it will be deprecated in the future) and use either mysqli_* or PDO.

Yet another thing: you're application is vulnerable to SQL injection.

Community
  • 1
  • 1
PeeHaa
  • 71,436
  • 58
  • 190
  • 262
  • Yes I am not in the stage of learning PHP to deal with SQL injections, I will be tackling those issues after I get this basic functionality down. Thank you for the quick response. I will be looking into this PDO in the near future as well. – Zach M. Apr 30 '12 at 19:02
  • Yet another thing: KISSMVC uses views, so you should not use `echo` in your function. – hakre Apr 30 '12 at 19:03
  • That echo calls up a bar at the top that can display a confirmation msg within a view, should I have some where in the view store the confirmation call and then use that in my controller? – Zach M. Apr 30 '12 at 19:08
2

First, I hope I don't need to go into depth about sanitizing your inputs before accessing the database with them.

I am unaware of the KISSMVC. But I am aware of how PHP and browser-server interactions happen. So I'll approach your question from that format.

I see two things here. One is that you want to give the user an alert when a transaction has successfully happened. That can be done dynamically with a redirect, but it depends on where you send them. If you send the user to a location that you have no control over (your example cited google.com) then you will have to deliver your alert (and your input) with javascript and ajax. The reason for this is because header redirects won't function if you sent some output to the user's browser already. So, you will need to implement some .js into your code that makes an AJAX call to a script that executes your code and returns a success/failure flag, which then triggers a message (of success/failure).

If you do have control of the content you are redirecting to, and you do not wish to touch any .js, you can redirect to an intermediary page that uses a variable that you created to hold the success/failure message, output it to the browser and a button that links to your next page after that with the data appended to the query string. All that can be done in php/MySQL.

Malovich
  • 931
  • 1
  • 5
  • 15
0

Yes, just get rid of the echo statement before it. You cannot echo anything to the screen before a header call.

You might also want to add some error handling so that you are really sure it was successful and switch to prepared statements to avoid sql injection.

jeroen
  • 91,079
  • 21
  • 114
  • 132
0

Output Buffering

Everyone else here has said you can't echo anything before the header call (including whitespace). But that is fact incorrect. If you use output buffering in the php.ini file for example to output buffer the entire page - then you are free to use header() ANYWHERE in the script (so long as the code does not manually flush it). http://php.net/manual/en/outcontrol.configuration.php

You want to set this in php.ini

output_buffering = On;

And then you can use header() anywhere in your code. Just remember that after a redirect, to use die() or exit() to prevent the PHP page carrying on execution after the redirect.

Without Output Buffering

You must NOT print anything to the browser including whitespace otherwise the headers have already been sent and can no longer be modified by PHP. Output buffering stops this as the entire generated page is sent in one go at the end of the script meaning headers are free to be changed anywhere in the script.

P.S.

As others have mentioned, your SQL is vulnerable to SQL injection and you should no longer be using mysql_* but instead switch to pdo or mysqli_* due to mysql_* being depretiated.

HenchHacker
  • 1,616
  • 1
  • 10
  • 16