1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lock Down "Thank You" Page once form is submitted

Discussion in 'PHP & Perl' started by pctechwright, Oct 28, 2012.

  1. pctechwright

    pctechwright Newbie

    Joined:
    Oct 19, 2010
    Messages:
    25
    Likes Received:
    5
    Now im no expert in this field - i wouldnt even say im a novice, but i need to lock down my "thank you" page that is shown after someone submits a form. I absolutley need this page locked down and unable to get to unless you fill the form out.

    How do i do that? Someone recommended me sending PHP variables to the thank you page from the form (not a clue what that even means). I am using machforms if that helps. Really stuck! This is the last part of my project - once this is complete i can go full steam ahead.

    Anyone care to help? Or if its a bit much i will pay someone to do this....
     
  2. chevet

    chevet Jr. VIP Jr. VIP

    Joined:
    Jun 23, 2010
    Messages:
    101
    Likes Received:
    30
    Lets say your form submit button name is "go" and form method is POST.
    On the top of "thank you" page insert this code:
    PHP:
    <?php
    if(!isset($_POST['go'])) header('Location: http://www.yourdomainhere.com/');
    ?>
    If someone enter page "thank you" in diffrent way than clicking form submit button he is redirected to, in this example, http://www.yourdomainhere.com.
     
    • Thanks Thanks x 3
  3. pctechwright

    pctechwright Newbie

    Joined:
    Oct 19, 2010
    Messages:
    25
    Likes Received:
    5
    oh thats not bad at all. i can totally handle that! Thanks!
     
  4. chevet

    chevet Jr. VIP Jr. VIP

    Joined:
    Jun 23, 2010
    Messages:
    101
    Likes Received:
    30
    you're welcome, remember that you can call header only before any actual output is sent, from php manual:
    PHP:
    <html>
    <?php
    /* This will give an error. Note the output
     * above, which is before the header() call */
    header('Location: http://www.example.com/');
    ?>
     
    Last edited: Oct 28, 2012
  5. SonicSam

    SonicSam Registered Member

    Joined:
    Aug 21, 2012
    Messages:
    57
    Likes Received:
    5
    Location:
    X
    The above solution can be worked around. If someone accessed the page with a POST value of go (you can do that with say wget, cURL or by a browser extension that'll allow you to modify page headers, form submissions).

    If you don't care that a dedicated tech savvy person could potentially bypass this if he knew he or she needed to POST a "go" value, this is fine.

    If you do care, then you'll need to look into another way of verifying (such as maybe verifying all the form values were filled out, the same way you did isset for the $_POST[go]).
     
  6. chevet

    chevet Jr. VIP Jr. VIP

    Joined:
    Jun 23, 2010
    Messages:
    101
    Likes Received:
    30
    SonicSam is right, tech person is able to bypass this by sending fake POST data. Verifying if all the form values were filled out won't help because it's easy to fake too.

    If it's a case you should validate all POST data first and, only if it pass validation, show "thank you" page. Reply if you need help with it.
     
  7. pctechwright

    pctechwright Newbie

    Joined:
    Oct 19, 2010
    Messages:
    25
    Likes Received:
    5
    holy crap! lol looks like i need to get to learning at least the basics of PHP before i start asking you all EXACTLY step by step how to do this...
     
  8. upl8t

    upl8t Regular Member

    Joined:
    Apr 9, 2008
    Messages:
    475
    Likes Received:
    84
    Location:
    New Scotland
    You can also write a cookie with a unique hash in it. Do this in your processing page after you know you have a valid order that has processed, save it to a new field in the database, and do this before you redirect to the thankyou page. At the top of the thankyou page check for the cookie and match it to the database record. If it doesn't exist kick them out of the thankyou page before rendering the page.
     
  9. chevet

    chevet Jr. VIP Jr. VIP

    Joined:
    Jun 23, 2010
    Messages:
    101
    Likes Received:
    30
    It won't help because cookie files are as easy to fake as POST data. Long story short - validate form inputs (alternatively check CAPTCHA) and if validate is positive show "thank you" page.
     
  10. thejake

    thejake Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 13, 2009
    Messages:
    685
    Likes Received:
    828
    As fun as wheel reinvention is, the way to do this is with sessions, they're designed for cases like this.