5
Hello, How do I send a contact form for example, refresh the page and display the sending message?
Code: Javascript:
function showAlert(type, message)
{
if (message !== '')
{
if (type === '')
{
type = 'success';
type = 'danger';
type = 'info';
type = 'warning';
}
$('#alert').removeClass();
$('#alert').addClass('alert alert-' + type).html(message).slideDown();
setTimeout("closeAlert()", 15000);
}
$(function ()
{
$('#alert').click(function ()
{
closeAlert();
});
});
function closeAlert()
{
$('#alert').slideUp();
$('#alert').removeClass();
}
HTML:
<div id='alert'></div>
PHP:
echo "<script>
window.onload = function ()
{
showAlert('success', 'Perfil atualizado com sucesso.');
};
</script>";
Displaying the message in a different way, only it seems to me there are security holes in it if there is no way..
messages.php
<?php
if (isset($_GET['action']))
{
$action = $_GET['action'];
if($action=='registered')
{
echo '<div class="alert alert-success">
<button type="button" class="close" data-dismiss="alert">×</button>
<strong>Sucesso!</strong> avaliação cadastrada obrigado pela colaboração.
</div>';
}
}
?>
Then I’ll include the message where I want it:
include("/system/messages.php");
and call via _GET:
echo '<script language= "JavaScript">
location.href="?p=cadastro&action=registered";
</script>';
With that the invader can, for example, put a path from an external script in place of the variable: http://www.meusite.com.br/? p=http://sitedumal.net/deleta-banco.php Your site would include the file normally and run everything within it... The rest you can imagine.
Do it in a safe way:
// Define uma lista com os array que poderão ser chamados na URL
$allowed = array($nomeUsuario, 'perfil-updated', 'perfil-updated-error');
// Verifica se a variável $_GET['action'] existe E se ela faz parte da lista de arquivos permitidos
if (isset($_GET['action']) AND (array_search($_GET['action'], $allowed) !== false))
{
$action = $_GET['action'];
if($action=='perfil-updated')
{
echo '<div class="alert alert-success">
<button type="button" class="close" data-dismiss="alert">×</button>
<strong>Sucesso!</strong> Perfil atualizado.
</div>';
}
if($action=='perfil-updated-error')
{
echo '<div class="alert alert-danger">
<button type="button" class="close" data-dismiss="alert">×</button>
<strong>Erro ao atualizar!</strong> Não foi possível atualizar o perfil.
</div>';
}
}
else
{
// Se não existir variável $_GET ou ela não estiver na lista de permissões, define um valor padrão
echo '<script language= "JavaScript">
location.href="?p=profile&action='.$nomeUsuario.'";
</script>';
}
Yes, via _GET I managed to do, only it has gives security problems to the site
– William Alvares
I edited my post, please take a look
– William Alvares
Basically, all kinds of methods you use will result in the same. Anyone can post something to the URL or create a cookie. To avoid this "insecurity" you must use conditions
if
to check if such a thing is incorrect, if it is various or if it already exists. I hope it is useful to you.– Klaider