0

I've been hacking away at this for hours now. Before I determine it's some problem with my host I will try here. I had to move this website from one host to another and everhything on the site is working except for this one file. It's a CRM system and this is the delete a client option. It deletes the client but just shows the message "client deleted. Please hold.." it does not re-direct. stays on the page with this message. I'm really at a loss as other files have the exact same re-direct and work fine?

 <?php
include('dbopen.php');
$delete_id = $_GET['details_id'];
// sql to delete a record
$sql = "DELETE FROM details WHERE details_id= $delete_id";

if ($conn->query($sql) == TRUE) {

       //delets record but does not re-direct?
       header("refresh:3; url=clients.php");
       echo "client deleted.  Please hold...";


} else {
    echo "Error deleting record: Contact Dylan";
}

$conn->close();
?>
Dylano236
  • 305
  • 3
  • 15
  • ok. Well it works on my other files and I've tried "header("Location: clients.php")" and that will not work either. Any ideas on which header would be valid? – Dylano236 Jun 23 '18 at 06:43
  • 2
    Shouldn't say hacking with that code.. try `?details_id=1 or 1=1` – Lawrence Cherone Jun 23 '18 at 06:45
  • haha good point @LawrenceCherone hacking is never a good term here – Dylano236 Jun 23 '18 at 06:47
  • And if you're implying my code is shitty, agreed lol. This is an old site I built and rather then rebuild it better I just need to transfer it to my bosses host. I'm a little unclear on the ?detalis_id=1 or 1=1. Is this a joke or serious? I know thats how you sql inject someone but can you explain how putting this in my sql statement would work? – Dylano236 Jun 23 '18 at 06:50
  • @Dylano236 https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Mike Jun 23 '18 at 06:52
  • Your code is open to SQL injection attacks. All you would have to do is visit the URL `yourscript.php?details_id=1 or 1=1` and you would delete every row in your database. You should also [not use GET to perform an action you don't want repeated](https://stackoverflow.com/a/6834275/811240). – Mike Jun 23 '18 at 06:54
  • @Mike That PHP header is in fact valid. Dylano, enable PHP error reporting and check your logs. What does it spit out? You likely have some output prior to the header call. – Qirel Jun 23 '18 at 06:58
  • 1
    Possible duplicate of [How to fix "Headers already sent" error in PHP](https://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php) – Qirel Jun 23 '18 at 07:02
  • @Mike Oh I thought sql injection was only vulnerable in html input fields. This is good to know. Thank you! I need to fix this. – Dylano236 Jun 23 '18 at 07:21
  • @Dylano236 Any time you put variables into a database query you need to try to prevent SQL injection, unless you have hard-coded the variables in your script. Even something coming from the database can cause SQL injection. – Mike Jun 23 '18 at 07:23
  • @LawrenceCherone now I understand your comment. I have a lot to learn. – Dylano236 Jun 23 '18 at 07:24
  • @Mike thanks, so maybe in this case I should use a post request instead of get? – Dylano236 Jun 23 '18 at 07:27
  • 1
    @Dylano236 Yes, use POST. GET is inappropriate here. Imagine someone on another site simply links to your script. Anyone who is logged in and clicks on it would delete that user. And on that note, also take a look at implementing XRSF prevention. – Mike Jun 23 '18 at 07:30
  • @Mike great I appreciate the help – Dylano236 Jun 23 '18 at 07:34

3 Answers3

1

The reason why the code is not working when sending headers to the browseris because you have white space at the beginning of your file. Notice the single space character. You cannot send any more headers to the browser after any content has been sent, even if it's white space. If you check your log file or enable error display, you would notice it giving you an error that headers have already been sent.

Mike
  • 23,542
  • 14
  • 76
  • 87
  • wow one space bar indent was what was causing the problem. I guess I need to study more to realize why this is an invalid HTTP header? It works so what is invalid about it? And thank you Mike I appreciate it! – Dylano236 Jun 23 '18 at 06:58
  • This answer is incorrect as the PHP header is in fact valid. Using HTML or javascript to redirect is also not preferable over sending a PHP header – Qirel Jun 23 '18 at 06:59
  • You're right. It is correct. I'll edit the answer. Sorry for the confusion. – Mike Jun 23 '18 at 07:00
  • Ok now I'm confused. It works so I would assume it's valid but @Mike sounds like he knows what he's talking about as he solved the problem which was a space before my – Dylano236 Jun 23 '18 at 07:01
  • @Dylano236 I was just unaware of the HTTP header `Refresh`, but I [looked it up](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields) and see it is, in fact, valid. – Mike Jun 23 '18 at 07:03
  • Dylano, the header you used is fine, but one cannot have any output (not even spaces) before the header call. See the flagged duplicate. – Qirel Jun 23 '18 at 07:04
  • @Qirel Agreed. Flagged as dupe as well. – Mike Jun 23 '18 at 07:05
1

Use

header("Location: clients.php");

It should work. But any html or white space should not be there before header function. In you code there is a small white space before 

<?php

tag.

Buwaneka Sudheera
  • 1,277
  • 4
  • 17
  • 35
  • 1
    Thanks, mike already solved it but I need a message telling my salesmen that the client was delete so thats why I have the echo statement and refresh. But if I had 15 reputation points I'd give you a vote up. – Dylano236 Jun 23 '18 at 07:04
0

Try this one:-

if ($conn->query($sql) == TRUE){
   //header("refresh:3; url=clients.php");
   echo "<script>alert('client deleted.  Please hold...');</script>";
   echo "<script>setTimeout(function(){window.location = 'clients.php' ;}, 3000) ; </script>" ;
}

Use this one , it will work as you expected , but its using a JavaScript re-direct not PHP header because PHP header do not function on the middle of an execution .

PHP Web
  • 257
  • 3
  • 8