0

Can anyone help me pls? I want to edit a record in my Database. Everything works fine. If I click on the button it saves the record. But it doesn't redirect me back to transparente.php! I just get a white site... Pls help me!

<?php

define('INCLUDE_CHECK',true);

require 'connect.php';
require 'functions.php';

session_name('tzLogin');

session_set_cookie_params(7*24*60*60);

session_start();

if(isset($_GET['logoff']))
{
    $_SESSION = array();
    session_destroy();

    header("Location: demo.php");
    exit;
}

 function renderForm($id, $Name, $Wer, $Erhalten, $Digital, $Betrag, $Bezahlt, $Anmerkung, $error)
 {
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
 <head>
 <title>Eintrag bearbeiten</title>
 </head>
 <body>
 <?php 

 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 <form action="" method="post">
 <input type="hidden" name="id" value="<?php echo $id; ?>"/>
 <div>
 <p><strong>ID:</strong> <?php echo $id; ?></p>
    <strong>Firma</strong><input type="text" name="Name" value="<?php echo $Name; ?>"/><br/>

    <strong>Wer</strong><input type="text" name="Wer" value="<?php echo $Wer; ?>"/><br/>

<strong>Erhalten</strong><input type="text" name="Erhalten" value="<?php echo $Erhalten; ?>"/><br/>

<strong>Digital</strong><input type="text" name="Digital" value="<?php echo $Digital; ?>"/><br/>

<strong>Betrag</strong><input type="text" name="Betrag" value="<?php echo $Betrag; ?>"/><br/>

<strong>Bezahlt</strong><input type="text" name="Bezahlt" value="<?php echo $Bezahlt; ?>"/><br/>

<strong>Anmerkung</strong><input type="text" name="Anmerkung" value="<?php echo $Anmerkung; ?>"/><br/>

    <input type="submit" name="submit" value="Speichern">
 </div>
 </form> 
 </body>
 </html> 
 <?php
 }


  include('db.inc.php');


 if (isset($_POST['submit']))
 { 

 if (is_numeric($_POST['id']))
  {
 $id = $_POST['id'];
 $Name = mysql_real_escape_string(htmlspecialchars($_POST['Name']));
 $Wer = mysql_real_escape_string(htmlspecialchars($_POST['Wer']));
 $Erhalten = mysql_real_escape_string(htmlspecialchars($_POST['Erhalten']));
 $Digital = mysql_real_escape_string(htmlspecialchars($_POST['Digital']));
 $Betrag = mysql_real_escape_string(htmlspecialchars($_POST['Betrag']));
 $Bezahlt = mysql_real_escape_string(htmlspecialchars($_POST['Bezahlt']));
 $Anmerkung = mysql_real_escape_string(htmlspecialchars($_POST['Anmerkung']));


 if ($Name == '')
 {

 $error = 'ERROR: Please fill in all required fields!';


 renderForm($id, $Name, $Wer, $Erhalten, $Digital, $Betrag, $Bezahlt, $Anmerkung, $error);
 }
 else
 {

 mysql_query("UPDATE Transparente SET 
             Name='$Name', 
             Wer='$Wer', 
             Erhalten='$Erhalten', 
             Digital='$Digital', 
             Betrag='$Betrag', 
             Bezahlt='$Bezahlt', 
             Anmerkung='$Anmerkung' 
        WHERE id='$id'")
 or die(mysql_error()); 


 header("Location: transparente.php"); 
 }
 }
 else
 {

 echo 'Error!';
 }
 }
 else

 {

numeric/larger than 0)
 if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
 {
 $id = $_GET['id'];
 $result = mysql_query("SELECT * FROM Transparente WHERE id=$id")
 or die(mysql_error()); 
 $row = mysql_fetch_array($result);

 if($row)
 {
       $Name = $row['Name'];
       $Wer = $row['Wer'];
       $Erhalten = $row['Erhalten'];
       $Digital = $row['Digital'];
       $Betrag = $row['Betrag'];
       $Bezahlt = $row['Bezahlt'];
       $Anmerkung = $row['Anmerkung'];

 renderForm($id, $Name, $Wer, $Erhalten, $Digital, $Betrag, $Bezahlt, $Anmerkung, '');
 }
 else
 {
 echo "No results!";
 }
 }
 else
 {
 echo 'Error!';
 }
 }
?>
user3713946
  • 27
  • 6
  • 1
    after a redirect header, you should generally include an `exit()` or `die()` statement, see [this question](http://stackoverflow.com/q/3553698/697370) – Jeff Lambert Jul 29 '14 at 18:42
  • Is your error reporting on? And you should take a look at webproxies like Fiddler where you can see the exact response – Sander Visser Jul 29 '14 at 18:43
  • 1
    @SanderVisser Or just Firebug / your browser's F12 tools, which will generally have a raw HTTP view these days. – IMSoP Jul 29 '14 at 18:46
  • @watcher Not sure if an edit isn't showing and it was added after your comment, but this code already includes an `exit;` immediately after the `header()` call. – IMSoP Jul 29 '14 at 18:47
  • @IMSoP after _every_ header redirect? or just the one near the top? it may be hard to see because of the formatting – Jeff Lambert Jul 29 '14 at 18:48
  • @watcher All actually and all the header() calls should be placed before you output anything otherwise it won't work – Sander Visser Jul 29 '14 at 18:50
  • @IMSoP I think fiddler works better but that's just an opinion haha – Sander Visser Jul 29 '14 at 18:51
  • @watcher Ah, sorry, missed that there was a second `header()` call. Still, as far as I can see, there's no reachable code after that second call, so it wouldn't technically make any difference. – IMSoP Jul 29 '14 at 18:51
  • 1
    Lovely SQL injection attack vulnerability. Why do you spend all that time escapign all of your "text" fields, and then blindly stuff in `$id` without doing anything to it? – Marc B Jul 29 '14 at 18:52
  • Sounds to me like the notorious White Screen of Death: [take a look at this answer to find out how to see the error that's causing it](http://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php/12772851#12772851). – IMSoP Jul 29 '14 at 18:52
  • @MarcB I think the `is_numeric` is supposed to catch it. Which is just as wrong as running `htmlspecialchars` on the way into the database, but it's not easy to craft an attack string that passes it. – IMSoP Jul 29 '14 at 18:54
  • @MarcB I'm very new to php an this code is adapted from a tutorial! Thats why I need your help – user3713946 Jul 29 '14 at 19:08

1 Answers1

1

Once the output is set, the redirection doesn't work. Move your redirection logic to the top. Hope this helps.

Pankaj Sharma
  • 669
  • 5
  • 12