0

I am giving header('location: forget.php') in confirm.php file but its url goes like confirm.php/forget.php.

 <?php

include('config.php');
 session_start();
        $varGetId = $_GET['id_reset'];
     $sqlQry = "select * from tbl_user where link='".$varGetId."'";
    $ResultSet  = mysqli_query($conn,$sqlQry);
    $countRows = mysqli_num_rows($ResultSet);
    if($countRows == 1)
    {
        $sqlUpdate = "UPDATE tbl_user SET link='' WHERE 
         link='".$varGetId."'";
        mysqli_query($conn,$sqlUpdate);     

    }
    else
        {
            header('location: forget.php');
        }

       ?>
Hammad
  • 11
  • 6
  • 3
    Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 27 '17 at 19:12
  • Add an `exit;` after the header call. – Jay Blanchard Apr 27 '17 at 19:12
  • Put a slash before the name to refer to the root – frz3993 Apr 27 '17 at 19:12

1 Answers1

1

Please use absolute URLs in header location. PHP documentation says:

HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path, but some clients accept relative URIs.

header('location: http://yoursite.com/forget.php');
Agu Dondo
  • 12,638
  • 7
  • 57
  • 68
  • 2
    Do or do not. There is no "try". A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard Apr 27 '17 at 19:13
  • I am using in Localhost .. what can i use ? Every file is in project folder the url look like localhost/project/forget.php – Hammad Apr 29 '17 at 09:33