0

I got the html form, output from which i want to save in database. Everything is ok, but after user presses "submit" my php file becoming free2see. I found a way out :

header("Location: exampleurl");
die();

in 

$phone=$_POST['phone'];
$pointA=$_POST['pointA'];
$pointB=$_POST['pointB'];

$con = mysql_connect("127.0.0.1", "root", "");
mysql_set_charset('utf8');
mysql_select_db("taxon");

$query="INSERT INTO `order` (phone, pointA, pointB)
VALUES ('$phone', '$pointA', '$pointB')";

$result= mysql_query($query, $con);

mysql_close($con);

header("Location: exampleurl");
die();

?>

which is situated at the bottom of the document, to alow php run the code and then redirect. I don't like this way because it's apropriate for low-data files. If there would be alot of code to proceed, 1st) user will see empty page, ater he'll get redirection. Can you advise me something? P.S. My english is lame please tell me if smth wrong , i'll fix that .

IceManSpy
  • 1,078
  • 1
  • 13
  • 35
Animus
  • 665
  • 12
  • 24
  • 1
    Welcome to Stack Overflow! Your code is vulnerable to SQL injection. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174) – Madara's Ghost Mar 26 '14 at 09:15
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 26 '14 at 09:16
  • Your code is very very very danger... –  Mar 26 '14 at 09:17
  • Please use *mysqli* library and *mysql_real_escape_string* function :) –  Mar 26 '14 at 09:18
  • @Nakka God no. Please don't suggest the broken `mres`. – PeeHaa Mar 26 '14 at 09:25
  • @PeeHaa , What is *mres* –  Mar 26 '14 at 09:31
  • `mysql(i)_real_escape_string` – PeeHaa Mar 26 '14 at 09:34

2 Answers2

0
header("Location: exampleurl");

is not killing the execution time. If there is other statements after your location code, they will be executed anyway.

You actually can use if statement. You can check with a variable if you want to redirect user. If its true you can add header function in this blocks, if its wrong you can place your actual code inside the wrong block.

So you will be able to manage when you want to redirect with a variable.

Burak Tokak
  • 1,810
  • 1
  • 20
  • 27
  • Thank you, i thought it killes the ex. time ! but i'm afraid i can't understand you here: `if its wrong you can place your actual code insite the wrong block.` – Animus Mar 26 '14 at 18:45
  • Just use if statement, i mean when you use it you will be able to have 2 way of code, true way and wrong way. Set a variable and place your code if the variable tells you its wrong(0). if its true you can place the location code there. I dont know how i can explain it another way. – Burak Tokak Mar 26 '14 at 18:59
-1

Ignoring sql-injection vulnerabilities and other issues, you could print some message with additional javascript redirection after you've already sent headers. I am doubt that it is the best practice, but it's another way to do what you want.

/* […] */
mysql_close($con);

header('Location: exampleurl', true, 303);
echo '<p>You will be redirected in a moment. Please, wait!</p>';
echo '<script>location.href = "exampleurl";</script>';

die();

Hope, this was helpful for you!

VGafurov
  • 14
  • 1