Hello,
You mustn't rely on JavaScript validation. That's just a guide to prevent the user from submitting the page multiple times and getting error messages. JavaScript helps
the user by displaying error messages as soon as possible.
Your first page must contain form validation JavaScript, to help the user and the form method should be
POST to the second page.
The second page should begin with
session_start(), then it should validate the form elements (you have to validate everything on the server again). If the input is OK, put all the input elements in an associative array and then put the array in
$_SESSION - session_start();
-
if (empty($_POST['first_name'])) header('Location: page1.php'); // if the user tried to trick us by messing with the JavaScript, send him back!
-
if (empty($_POST['last_name'])) header('Location: page1.php'); // if the user tried to trick us by messing with the JavaScript, send him back!
-
$user_data = Array(
-
'first_name' => $_POST['first_name'],
-
'last_name' => $_POST['last_name']
-
);
-
$_SESSION['page1_input'] = $user_data;
Then you echo the confirmation HTML. With a form that doesn't contain any input elements, just redirects the user to page3.php.
The third page should also begin with
session_start() because ALL the pages that want to work with session variables need to initialize the session when they're requested. Then it should use the information in $_SESSION
- session_start();
-
if (!isset($_SESSION['page1_input'])) header('Location: page1.php'); // user tried to load this page directly, without passing through pages1 and 2.
-
processInformationInUserDataAssociativeArray($_SESSION['page1_input']);
-
unset($_SESSION['page1_input']);
And now it should say thanks.
Keep in mind that anyone can disable JavaScript on their browser and anyone can replace YOUR JavaScript with THEIR own JavaScript code! Anyone can easily emulate form submission with both the GET and POST method and they can even emulate the form as being posted from your own domain when it's not. Never say "never," there's always some idiot trying to mess with your website to steal information, so you should follow at least the steps I've posted above.
If you have any questions regarding this process, let me know :)
Hope this helps,
Tom