CODEWITHSUNDEEP
phpformsurlget
nv39
nv39

Reputation: 535

PHP form requires to be submitted twice

I'm writing an application that allows users to upload reference letters for potential employees.

Every reference is sent an email containing a unique string at the end of the url. So, for example, an address would look similar to: www.mywebaddress?url=503241a20b5085_18720621.

To determine if the unique string is valid (i.e. exists in the database) I need to do a query search. However, when a reference attempts to access the URL he needs to answer a security question. So, I also need to check if the answer is valid, if he has previously uploaded, etc to determine what page to redirect him to.

But because of the query, my code requires the user to click "Submit" twice. This is really annoying, but I'm not sure how to fix it.

Here is a relevant excerpt of my code:

if ( isset ($_GET['url']) ) {
        $query = "SELECT * FROM ref_info WHERE url='" . $_GET['url'] . "'";
        $result = $db->execute($query);
        if ( empty ($result) ) {
            //error message

        } else {
            $url = $_GET['url'];

            if ( $_SESSION['validated'] ) {
                if ( $result[0]['uploaded'] ==1 ) {
                    $_SESSION['uploaded'] =true;
                } else {
                    $_SESSION['uploaded'] =false;   
                }

                include_once("process_upload.php"); 

            } else { 
                if ( empty($result[0]['answer']) ) {
                    include_once("security.php");

                } else {
                    include_once("security_check.php");
                }
            }
        }

}

Is there anything I can do so that the form only needs to be submitted once?

Thanks in advance for any suggestions!!

Upvotes: 1

Views: 324

Answers (1)

Viktor S.
Viktor S.

Reputation: 12815

if ( isset ($_GET['url']) ) {
        $query = "SELECT * FROM ref_info WHERE url='" . $_GET['url'] . "'"; //that is really not secure. Take a look at mysql_real_escape_string or something like that in yor $db
        $result = $db->execute($query);
        if ( empty ($result) ) {
            //error message

        } else {
            $url = $_GET['url'];
            if (empty($result[0]['answer']) ) { // page is just opened,form is not yet submitted - ask sequrity question
                include_once("security.php");    
            } else { //oh. Submit is done - let me check if it is Ok
                include_once("security_check.php");
            }
            if ( $_SESSION['validated'] ) { //validation is Ok? Yeah. Answer is not posted yet, so validation fails and we do nothing. Just show a form with a question
                if ( $result[0]['uploaded'] ==1 ) {
                    $_SESSION['uploaded'] =true;
                } else {
                    $_SESSION['uploaded'] =false;   
                }

                include_once("process_upload.php"); 

            } 
        }

}

Upvotes: 1

Related Questions