1

I had a website where you could select a site that you want to be redirected to from a dropdown menu & then click a button to be redirected to it.

As smart as i am i got a virus on my pc, & restored from an old backup. Short story; the site no longer works.. here is the code:

HTML:

   <form method="post" name="form1" id="form1" action="process.php">
       <select name="taskOption" id="taskOption2">
        <option value="Select">Please select a site</option>
        <option value="http://www.Itslearning.com">Itslearning</option>
        <option value="http://www.NDLA.no">NDLA</option>
       </select>
    </form>

    <button onclick="FormSubmit()" class="button button1 button1:hover">Take me there</button>

PHP:

<?php
$taskOption $_POST["taskOption"];
if ($taskOption) {
    header("Location: $taskOption");

}
else {
   echo "Venligst velg en side.";
   exit;
}



?>

JAVASCRIPT:

    function FormSubmit() {
document.form1.submit();
}
Improve this question
6
  • quite easy to abuse that particular service unfortunately - potentially you could end up as the point of origin for thousands of malicious/fake requests. If the URLS you use in the select menu are from the db then a unique id or hash to denote the url rather than the actual url would be better ( so long as the id/hash is verified in process.php and translated into the correct url ) Commented Sep 13, 2016 at 9:57
  • not quite sure how that would happen, but this is just for a school project so i doubt anyone will abuse it.. thanks for letting me know though :) And by the way, what should i have used instead? Commented Sep 13, 2016 at 10:00
  • You may want to check if your posted data ($_POST) are set first, before trying to check if it fits your particular value Commented Sep 13, 2016 at 10:00
  • I could target the form on your site but substitute whatever url I wanted - process.php would receive the POST request and send a request to the URL I chose to send, thus the traffic originates from your site. Commented Sep 13, 2016 at 10:01
  • oh, i see.. thanks for the warning.. how would you do it then? would you have used another language or something? Commented Sep 13, 2016 at 10:03

3 Answers 3

Reset to default
2

What is the error you receive? At least one error is in your PHP file:

<?php
$taskOption = $_POST["taskOption"];
if ($taskOption) {
    header("Location: $taskOption");
} else {
   echo "Venligst velg en side.";
   exit;
}
?>

Note the "=" on the second line.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I tested it with the "=", and it worked :) The error said ""sitename" is currenly unable to handle your request" or something like that. thanks :)
1

First off, looks like you're missing an assignment operator (=) in your PHP.

It should look like this:

<?php
$taskOption = $_POST["taskOption"];
if ($taskOption) {
    header("Location: $taskOption");

}
else {
   echo "Venligst velg en side.";
   exit;
}

?>
Improve this answer

4 Comments

It seems like that solved it :D I feel really stupid now, but thank you :)
No worries. You might want to set up a linter with your code editor so that small syntax errors like this get highlighted :)
im kinda new to coding, but ill try do add this "linter". what text editor would you reccomend by the way? i currently use "Atom":.
I've not used Atom but I hear good things. Try this. If that doesn't help, I personally use Sublime and I know a lot of other Devs do so you'll easily be able to get help setting up extensions and things.
1 
Simple table to store urls:

create table `urls` (
    `id` int(10) unsigned not null auto_increment,
    `url` varchar(255) not null default '0',
    `hash` varchar(16) not null default '0',
    `hits` smallint(5) unsigned not null default '0',
    primary key (`id`),
    unique index `hash` (`hash`)
)
engine=innodb;



Gives this structure:

+-------+----------------------+------+-----+---------+----------------+
| Field | Type                 | Null | Key | Default | Extra          |
+-------+----------------------+------+-----+---------+----------------+
| id    | int(10) unsigned     | NO   | PRI | NULL    | auto_increment |
| url   | varchar(255)         | NO   |     | 0       |                |
| hash  | varchar(16)          | NO   | UNI | 0       |                |
| hits  | smallint(5) unsigned | NO   |     | 0       |                |
+-------+----------------------+------+-----+---------+----------------+



Populated with dummy urls & unique hashes:

+----+--------------------------------+------------------+------+
| id | url                            | hash             | hits |
+----+--------------------------------+------------------+------+
|  1 | http://www.example.com/page/1  | 53abc566010de29a |   45 |
|  2 | http://www.example.com/page/2  | 8664d7fca34963d2 |   83 |
|  3 | http://www.example.com/page/3  | fe06dca79d3d0415 |   49 |
|  4 | http://www.example.com/page/4  | 3913aaaef701ecad |   35 |
|  5 | http://www.example.com/page/5  | eb2eddc3ca2406c3 |   93 |
|  6 | http://www.example.com/page/6  | acc809b96c6a42d9 |   50 |
|  7 | http://www.example.com/page/7  | 63a4e53b1b374fcb |   90 |
|  8 | http://www.example.com/page/8  | d9c13a146fc7c69a |   18 |
|  9 | http://www.example.com/page/9  | eaa944c7e9a4ef7c |   76 |
| 10 | http://www.example.com/page/10 | 59f9d294a29601c9 |   13 |
+----+--------------------------------+------------------+------+



In the php page that displays the menu for the user to choose from

<?php

    $dbhost =   'localhost';
    $dbuser =   'xxx';
    $dbpwd  =   'xxx';
    $dbname =   'xxx';
    $db =   new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );

    $sql='select * from `urls` order by `id`;';
    $result=$db->query( $sql );

    if( $result ){

        $html=array();
        $html[]="<form name='launcher' method='post' action='process.php'>";
        $html[]="<select name='taskOption'>";   

        while( $rs=$result->fetch_object() ){
            $html[]="<option value='{$rs->hash}'>{$rs->url}";
        }

        $result->close();
        $db->close();

        $html[]="</select>";
        $html[]="<input type='submit' value='Go' />";
        $html[]="</form>";

        echo implode( PHP_EOL, $html );
    }


?>





<?php
    /* process.php */

    /*

        Rather than sending the actual URL via POST we only send a hash
        which is then used in the sql to find the real url from the database.

    */

    $errors=array();
    $url=false;

    if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST['taskOption'] ) ){

        /* rudimentary sanitisation of the string */
        $hash = filter_input( INPUT_POST, 'taskOption', FILTER_SANITIZE_STRING );

        /* db credentials */
        $dbhost =   'localhost';
        $dbuser =   'xxx';
        $dbpwd  =   'xxx';
        $dbname =   'xxx';
        $db =   new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );

        /* construct statement to find the url */
        $sql='select `url` from `urls` where `hash`=?';
        $stmt=$db->prepare( $sql );
        if( $stmt ){

            /* bind the variable - hash */
            $stmt->bind_param( 's', $hash );
            $result=$stmt->execute();

            /* */
            if( $result ){
                $stmt->store_result();
                $stmt->bind_result( $url );
                $stmt->fetch();
                $stmt->free_result();

                if( !$url ) $errors[]='Unable to locate url';

                $sql='update `urls` set `hits`=`hits`+1 where `hash`=?';
                $stmt=$db->prepare( $sql );

                if( $stmt ){
                    $stmt->bind_param('s',$hash);
                    $stmt->execute();
                    $stmt->free_result();

                } else {
                    $errors[]='sql error updating hit count';
                }
            } else {
                $errors[]='No result found in database';
            }
        } else {
            $errors[]='sql error whilst preparing initial statement';
        }

        $stmt->close();
        $db->close();





        /* Redirect the user if all went well otherwise show an error message */
        if( empty( $errors ) ) exit( header("Location: $url") );
        else exit( "There were errors processing your request." );

    }

    /* only accept POST requests */
    exit( 'Bad foo - wrong method' );
?>
Improve this answer

1 Comment

This is definitively more complicated than i want this site to be, but if i ever make another site with the same function this may come in handy :P thanks :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.