Help with PHP and HTML form (POST + Redirect)

Question

HI ,

Can any one help

I need to direct the user once they have submitted the form to another page

How could I do this ?

<form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Answer 1

Specify the page in the action="" attribute of the form (don't use PHP_SELF).

Answer 2

If you want the POST + Redirect thing:

header('Location: ' . $nextUrl, true, 303);

will do the trick.

Example code:

<!-- form.html -->
<form method="post" action="postHandler.php">
  <input type="text" name="someName" value=""/>
  <input type="submit" name="submitButton">
</form>

 

// postHandler.php
if (isset($_POST['submitButton'])) {
  // do something with the posted data

  header('Location: submitOk.html', true, 303);
} else {
  header('Location: form.html', true, 303);
}

 

<!-- submitOk.html -->
<h1>Ok</h1>
<p>
  Your information was received
</p>

Answer 3

In the script when a successful POST has finished:

header('Location: http://'.$_SERVER['HTTP_HOST'].'/finalpage.php', TRUE, 303);

Note this should include an absolute URL, not just /finalpage.php; relative URIs in a Location header are not allowed by the HTTP RFC and not supported by some browsers. Also 303 is strictly speaking more correct than the default 302.

If you want the redirect to simply fetch the same page again as a GET you can do:

header('Location: '.$_SERVER['PHP_SELF'], TRUE, 303);

Also:

action="<?php echo $_SERVER['PHP_SELF']; ?>"

is insecure, potentially a HTML-injection hole leading to XSS. All text strings being output into HTML content or attribute values must be escaped appropriately:

action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>"