1

I'm writing an application that allows users to upload reference letters for potential employees.

Every reference is sent an email containing a unique string at the end of the url. So, for example, an address would look similar to: www.mywebaddress?url=503241a20b5085_18720621.

To determine if the unique string is valid (i.e. exists in the database) I need to do a query search. However, when a reference attempts to access the URL he needs to answer a security question. So, I also need to check if the answer is valid, if he has previously uploaded, etc to determine what page to redirect him to.

But because of the query, my code requires the user to click "Submit" twice. This is really annoying, but I'm not sure how to fix it.

Here is a relevant excerpt of my code:

if ( isset ($_GET['url']) ) {
        $query = "SELECT * FROM ref_info WHERE url='" . $_GET['url'] . "'";
        $result = $db->execute($query);
        if ( empty ($result) ) {
            //error message

        } else {
            $url = $_GET['url'];

            if ( $_SESSION['validated'] ) {
                if ( $result[0]['uploaded'] ==1 ) {
                    $_SESSION['uploaded'] =true;
                } else {
                    $_SESSION['uploaded'] =false;   
                }

                include_once("process_upload.php"); 

            } else { 
                if ( empty($result[0]['answer']) ) {
                    include_once("security.php");

                } else {
                    include_once("security_check.php");
                }
            }
        }

}

Is there anything I can do so that the form only needs to be submitted once?

Thanks in advance for any suggestions!!

nv39
  • 535
  • 2
  • 12
  • 21
  • use ajax for first query, and see if valid. – amitchhajer Aug 23 '12 at 13:18
  • Can you add a bullet-point workflow to this question? I'm not sure I understand *why* the user has to hit submit twice. – Matt Aug 23 '12 at 13:18
  • 6
    You're code is incredibly exposed to SQL Injection. Read about prepared statements. Also read this: http://stackoverflow.com/a/60496/871050 – Madara's Ghost Aug 23 '12 at 13:18
  • If the reference number is in the querystring as a `$_GET` variable, why not just include its value in your form as a hidden input, then pass it along with the security question's answer? – Matt Aug 23 '12 at 13:19
  • Agree with @Matt - see no reason for clicking submit twice. You say about some query. What query do you mean? – Viktor S. Aug 23 '12 at 13:21
  • @FAngel: The query that searches for the GET value in the database. It checks if the value exists, and, if it does, pulls up information on the reference (things like name, email, if he's uploaded) – nv39 Aug 23 '12 at 13:22
  • So, someone came to your page with address like `www.mywebaddress?url=503241a20b5085_18720621`. You check if url exists and show a form with sequrity question. User answer it and submit form (1st time). You do what you need if question is Ok. Where is the second submit? – Viktor S. Aug 23 '12 at 13:26
  • First submit executes the query. Second submit is needed to check everything after the query – nv39 Aug 23 '12 at 13:41
  • Why you need a submit to exectu a query? User came to your webpage with url already in $_GET! He just click on a link in that email and you have an url and run a query. If query returns some result - you go and show a question. After filling the answer user submit that form. If you use a code from my answer - you check validity and process_upload,if input is valid. What is wrong there? – Viktor S. Aug 23 '12 at 14:00

1 Answers1

1
if ( isset ($_GET['url']) ) {
        $query = "SELECT * FROM ref_info WHERE url='" . $_GET['url'] . "'"; //that is really not secure. Take a look at mysql_real_escape_string or something like that in yor $db
        $result = $db->execute($query);
        if ( empty ($result) ) {
            //error message

        } else {
            $url = $_GET['url'];
            if (empty($result[0]['answer']) ) { // page is just opened,form is not yet submitted - ask sequrity question
                include_once("security.php");    
            } else { //oh. Submit is done - let me check if it is Ok
                include_once("security_check.php");
            }
            if ( $_SESSION['validated'] ) { //validation is Ok? Yeah. Answer is not posted yet, so validation fails and we do nothing. Just show a form with a question
                if ( $result[0]['uploaded'] ==1 ) {
                    $_SESSION['uploaded'] =true;
                } else {
                    $_SESSION['uploaded'] =false;   
                }

                include_once("process_upload.php"); 

            } 
        }

}
Viktor S.
  • 12,736
  • 1
  • 27
  • 52
  • not really what I was looking for; form still needs to be submitted twice. But some good suggestions, so +1 – nv39 Aug 23 '12 at 13:48
  • Why it must be submitted twice? What force you to click twice? Process Upload? Or what? – Viktor S. Aug 23 '12 at 13:52
  • The page only redirects if the form is submitted twice. The first time only the query executes and nothing else really happens – nv39 Aug 23 '12 at 14:14
  • Suppose you need to post some more code and add a step-by-step explanation of what is done by user. I see nothing that forces you to submit form twice in available code. – Viktor S. Aug 23 '12 at 14:20