1

I'm trying to make an <a> link which triggers PHP code on the next page. I've tried using $_GET variables to do this but the thing is I also want to remove the variable afterwards, as I automatically link back to the redirected page with header(). There don't seem to be any feasible ways to do this without redirecting the user to one page alone, but the thing is they're expected to be redirected to the page they were on previously. Keeping $_GET variables then cause an endless loop of redirects.

In general, I wish to avoid using $_GET as it could be abused in the context I'm using it in. Any other workarounds would be greatly appreciated, though. Basically I'm just trying to use an <a> link to remove an entry from a MySQL database.

Here's the PHP that handles the variable.

if (isset($_GET['rm'])) # 'rm' contains the uuid of the entry to be deleted.
{
    $uuid = $_GET['rm'];
    unset($_GET['rm']); # Didn't expect this to work, of course it didn't remove the variable from the URL.
    $query = "DELETE FROM posts WHERE uuid = '$uuid'";
    $result = $mysqli->query($query);
    header("Location: " . $_SERVER['REQUEST_URI']);
    exit();
}

EDIT: I realize now that I have wildly complicated my explanation here. The main goal was to make the click of an <a> link trigger PHP code, with a variable specific to the link clicked. (Each link is a delete button on a post, and each post has a UUID)

If there is a way to alternatively trigger javascript code, that would be immensely helpful as well, since I'm looking to use such a method here too. I will likely be making a separate thread asking about this.

mellodoot
  • 11
  • 4
  • im some what confused as to what you are asking, but i think session variables would probably make this easy. you could just edit the url string you use in the header –  Jun 26 '18 at 22:13
  • Can't you just set a cookie to ha doe this? – Mr Glass Jun 26 '18 at 22:13
  • @smith I can't trigger session variables to be set while I'm clicking a link, though. According to other threads on here php wouldn't be able to respond quickly enough before the page changes. – mellodoot Jun 26 '18 at 22:15
  • @MrGlass not sure how I could pull that off :/ – mellodoot Jun 26 '18 at 22:15
  • i dont see why you cant still use sessions, but if you prefer explode $_SERVER['REQUEST_URI'] on ? take the first part, that will be the url with out the querry string –  Jun 26 '18 at 22:15
  • actully did you mean `HTTP_REFERER` not `REQUEST_URI` ? –  Jun 26 '18 at 22:19
  • You can also redirect to just `?` which would mean the current URL with a query string `?`, effectively removing your current query string. `header("Location: ?");` – Jonathan Jun 26 '18 at 22:22
  • @smith Using `HTTP_REFERER` to redirect actually worked perfectly, thank you! – mellodoot Jun 26 '18 at 22:23
  • @Jonathan I could see that working :) – mellodoot Jun 26 '18 at 22:24
  • just dont *trust* the value as it can be unset or faked, but may suffice. –  Jun 26 '18 at 22:25
  • @smith True, someone could just redirect from another page... I suppose I could run a check to see if `HTTP_REFERER` links to a page on the server, and if not, redirect to index? – mellodoot Jun 26 '18 at 22:33
  • I don't think you could have built much more of an insecure script. First off, never make changes to something based on a GET operation. It's assumed that GET has no side effects and doesn't change data on the server, ever. As it stands now, anyone could make a GET request from any other web page on the internet and manipulate data as if they were the user of your site. Next, you **must** use prepared/parameterized queries, or anyone can inject arbitrary strings into your query. This is SQL injection, and you **will be hacked** if you haven't been already. – Brad Jun 26 '18 at 22:40
  • why not use the session variable...and do the action on an ajax call, so you dont have to worry about page refresh concern – Ctznkane525 Jun 26 '18 at 22:45
  • @brad I just tried working with prepared queries, but I'm having difficulty working with multiple columns and such as outputs. Would you be able to link me a decent source where I could research it more? – mellodoot Jun 27 '18 at 00:02

2 Answers2

0

You can use $_SESSION to delete the variable after for example

    if (isset($_SESSION['rm'])) # 'rm' contains the uuid of the entry to be deleted.
{
    $uuid = $_SESSION['rm'];
    unset($_SESSION['rm']); # Didn't expect this to work, of course it didn't remove the variable from the URL.
    $query = "DELETE FROM posts WHERE uuid = '$uuid'";
    $result = $mysqli->query($query);
    header("Location: " . $_SERVER['REQUEST_URI']);
    exit();
}

consider that you have register the value of the next shape.

$_SESSION['rm'] = "My value";
Daniel Oseguera
  • 11
  • 2
  • The problem here is that I'm clicking on a link, which carries me to the page where this code is executed. I don't have a way to actually insert data into the SESSION. – mellodoot Jun 27 '18 at 00:43
  • You can add any data to $_SESSION, or not necessary you have that create the SESSION, you can register the $_SESSION after, just as you have – Daniel Oseguera Jun 27 '18 at 01:40
  • The problem there is how I get specific data into the $_SESSION. Each link clicked in this scenario is specific to a particular $uuid, and I'm not sure how I could make the link's location on the previous page affect the $_SESSION, if that makes sense. – mellodoot Jun 27 '18 at 02:45
-2

If your goal is to redirect to the current page but remove the query string, you can redirect to header("Location: ?"); which is essentially just that. (Technically you are redirecting to a new query string with no value which is different than no query string at all but php will just show an empty array for $_GET which is essentially the same)

I was going to mention additional options like variables from $_SERVER, but many of those have various security or other issues associated with them. I only mention this because I wouldn't suggest using any unless necessary. Also, it really doesn't get easier than the above.

Jonathan
  • 250
  • 1
  • 8
  • 1
    The `Location` header must be the full URL. While relative paths do work in most browsers, they're not up to spec. – Brad Jun 26 '18 at 22:36
  • @Brad While not up to spec, it does work in all major browsers and has forever (meaning pretty good support for older browsers). Even the MDN page on redirections shows examples of relative URLs and mentions nothing of the "full URL". – Jonathan Jun 26 '18 at 22:46
  • @Brad, please see https://stackoverflow.com/a/25643550/9836025, relative URIs are permitted and perfectly fine according to the current spec. – Jonathan Jun 26 '18 at 22:59