1

I was trying to make a website. So this is the index.php page. When 'more info' of any of the form is clicked, the user is redirected to a payment.php page, where the user must make the payment. Once the payment is done, the user is redirected to success.php page, which is supposed to show these 3 lines for two seconds and then redirect the user to details.php page. However, for some reason, instead of redirecting to details.php, both details.php and index.php come up simultaneously like this. How can I avoid the index file from being there too? I just want to show the details file.

Here is the code of the success page:

<?php
include 'index.php';

if(!empty($_GET['tid'] && !empty($_GET['product']))) {
  $GET = filter_var_array($_GET, FILTER_SANITIZE_STRING);

  $tid = $GET['tid'];
  $product = $GET['product'];
} else {
  header('Location: payment.php');
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<title>Thank You</title>
</head>
<body>
<div class="container mt-4">
  <h2>Thank you for purchasing <?php echo $product; ?></h2>
  <hr>
  <p>Your transaction ID is <?php echo $tid; ?></p>
  <p>Check your email for more info</p>
  <?php header('Refresh: 2; URL=details.php?id='.$customer['id']);?>
</div>
</body>
</html>

I feel that this is the most important part of the success.php code:

  <?php header('Refresh: 2; URL=details.php?id='.$customer['id']);?>

here's the details page:

<?php
include 'config/db_connect.php';
include 'config/db.php';
include 'index.php';
if (isset($_POST['delete'])) {
    $id_to_delete = mysqli_real_escape_string($conn, $_POST['id_to_delete']);

    $sql = "DELETE FROM customers WHERE id = $id_to_delete";

    if (mysqli_query($conn, $sql)) {
        header('Location: index.php');
    } else {
        echo 'query error: ' . mysqli_error($conn);
    }
}
// check GET request id param
if (isset($_GET['id'])) {
    // escape sql chars
    $id = mysqli_real_escape_string($conn, $_GET['id']);
    // make sql
    $sql = "SELECT * FROM customers WHERE id = $id";
    // get the query result
    $result = mysqli_query($conn, $sql);
    // fetch result in array format
    $customer = mysqli_fetch_assoc($result);
    mysqli_free_result($result);
    //mysqli_close($conn);
}
?>
<!DOCTYPE html>
<html>
<?php include 'templates/header.php'; ?>
<div class="container center grey-text">
    <?php if ($customer) : ?>
        <h4><?php echo $customer['Job_Type']; ?></h4>
        <p>Contact Number of loan enquirer: <?php echo $customer['Telephone']; ?></p>
        <p>Annual income: <?php echo 12 * $customer['Monthly_salary']; ?></p>
        <p>Existing loan amount: <?php echo $customer['Existing_loan_amount']; ?></p>
        <p>Residential_Type: <?php echo $customer['Residential_Type']; ?></p>
        <p>Job: <?php echo $customer['Job']; ?></p>
        <p>Form submission time: <?php echo date($customer['Form_Submission_Time']); ?></p>
        <!-- DELETE FORM -->
        <form action="details.php" method="POST">
            <input type="hidden" name="id_to_delete" value="<?php echo $customer['id']; ?>">
            <input type="submit" name="delete" value="Delete" class="btn brand z-depth-0">
        </form>
    <?php else : ?>
        <h5>No such customer exists.</h5>
    <?php endif ?>
</div>
<?php include 'templates/footer.php'; ?>

</html>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Xin_Naz
  • 21
  • 5
  • Constant [FILTER_SANITIZE_STRING](https://stackoverflow.com/questions/69207368/constant-filter-sanitize-string-is-deprecated) is deprecated. Please stop using it. – Dharman Sep 19 '21 at 12:46
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Sep 19 '21 at 12:50

1 Answers1

1

Your details page starts with these three line:

include 'config/db_connect.php';
include 'config/db.php';
include 'index.php';

As you can see, in the third line, you include index.php. My best guess is that that is the reason you see it in the details page.

Dharman
  • 30,962
  • 25
  • 85
  • 135
KIKO Software
  • 15,283
  • 3
  • 18
  • 33
  • 1
    the problem is that if I remove include('index.php') then the variables cannot be passed from the index.php to details.php – Xin_Naz Sep 19 '21 at 07:29
  • 1
    I understand, but that's a different problem. You haven't show the content of `index.php` or those variables, so we cannot help you there. Perhaps you could ask a new question? As a hack you could put `ob_start();` in front of the `include('index.php');` line, and `ob_end_clean();` on the line after it. That way you discard any output of `index.php`. See the [Output Control Functions](https://www.php.net/manual/en/ref.outcontrol.php). But this isn't a good permanent solution. – KIKO Software Sep 19 '21 at 07:55
  • actually the ob_start and end_clean trick worked and the result seems to be perfectly what I wanted it to be. Can you please tell me why it's not a good permanent solution though? – Xin_Naz Sep 19 '21 at 14:16
  • 1
    @Xin_Naz: It's not a good solution because your code is doing stuff that it doesn't need to do. You code should also not calculate a trajectory to the moon, just because it can, if all you want to do is go to the next town. This wastes computer resources. – KIKO Software Sep 19 '21 at 14:59
  • I understand. Thanks nonetheless bro – Xin_Naz Sep 19 '21 at 15:30