Page 1 of 1

Help understanding this

Posted: Mon Aug 08, 2005 2:54 pm
by Addos
I’m looking for a bit of help here in understanding some PHP. I work alone so do go easy as I’m plugging away at my own analyses and am looking for a bit of advice as to whether I’m getting this correct.

My code

Code: Select all

<?
$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
  $insertGoTo = "guestbook.php";
  if (isset($_SERVER['QUERY_STRING'])) {
  $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
  $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
}
}

<form method="post" name="form1" action="<?php echo $editFormAction; ?>">
****************
The Analysis
<?

Code: Select all

$editFormAction = $_SERVER['PHP_SELF'];
Tested on a live server $editFormAction returns:- /form_action_result.php Note ? is missing from the string.
So, if the Query_String is set:

Code: Select all

if (isset($_SERVER['QUERY_STRING'])) {
Then proceed to add the “?” into the string.

Code: Select all

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); }
Tested on a live server $editFormAction returns:-

Code: Select all

/form_action_result.php?
. htmlentities Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made.

A couple of my questions are as follows.

Why do we need to use action="<?php echo $editFormAction; ?> in the first place. Is this so that somebody cannot try to spoof the page to which the form is being passed to?

The “?” is added to the string once the Query_String is set but why is this needed and why is it no enclosed by ‘?’ instead. I thought that the double quotes were to get PHP to parse any value between the two quotes.

The use of the? is a little puzzling as I appreciate it is not used as a ‘ternary’ operator above but below it has me really puzzled and I have yet to fully analyse this yet.

Code: Select all

$insertGoTo = "some_page.php";
  if (isset($_SERVER['QUERY_STRING'])) {
  $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
  $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
Many thanks for anyone who has the patience to help me out. I’m only at this as a complete novice since January so apologies if my use of coding language is not accurate.
B

Posted: Mon Aug 08, 2005 3:07 pm
by Ambush Commander
First things first, if you are learning PHP, let's get some good habits going, including indenting your PHP and not using shorttags like:

Code: Select all

<?php
$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

$insertGoTo = "guestbook.php";

if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf("Location: %s", $insertGoTo));

//Wtf? Where did these braces come from?
}
}
}

//I don't know, but you need a closing php tag.
?>

<form method="post" name="form1" action="<?php echo $editFormAction; ?>">
You're not giving us the full code, but that's okay. You just won't get as good answers. ;)
Why do we need to use action="<?php echo $editFormAction; ?> in the first place. Is this so that somebody cannot try to spoof the page to which the form is being passed to?
No, it's to make sure we're passing around the variables to the right page. Without action, the form doesn't work. Nothing to do with spoofing.
The “?” is added to the string once the Query_String is set but why is this needed and why is it no enclosed by ‘?’ instead. I thought that the double quotes were to get PHP to parse any value between the two quotes.
There's almost no difference, "" can still be used to do static variables (there's pretty much no difference). Personally, I use '' for statics and "" for interpolates, but you can use "" for statics too.

By the way, what you posted doesn't work: are you using Microsoft Word to write your post? “ ” and the like are not the same as " and "
The use of the? is a little puzzling as I appreciate it is not used as a ‘ternary’ operator above but below it has me really puzzled and I have yet to fully analyse this yet.
You're getting confused by the ? and the "?". The ? (without quotes), is, indeed a ternary operator, so I gather you know how it works. "?" is simply a one character string that consists of a ? character. It has nothing to do with ternary operators, rather, it's for the URL (ie. index.php?bang=1&foo=bar )

A few more suggestions for your code: Don't use '&', use '&' see http://www.w3.org/TR/xhtml1/guidelines.html#C_12

Posted: Mon Aug 08, 2005 3:16 pm
by feyd
*cough*

$_SERVER['REQUEST_URI']

Posted: Mon Aug 08, 2005 3:29 pm
by Addos
Hi,
Thanks for your very fast and thorough reply.
Sorry for any confusion as I have taken the snips of code from a page that works ok for me but I didn’t want to go pasting loads of code unless it was necessary.
This is a little more and yes I’m doing all this up in my Word document for future study.

Code: Select all

$editFormAction = $_SERVER['PHP_SELF'];
  if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)  {
// If no errors, send email and redirect to acknowledgment page
			
	
	mail($to,$subject,$message,$headers);						
		$insertSQL = sprintf("INSERT INTO guestbook (etc);


  $insertGoTo = "some_page.php";
    if (isset($_SERVER['QUERY_STRING'])) {
  $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
  $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
I wonder why the ? is only added once the Query_string is set. What is the significance of this conditional statement? Also I was most interested in your link to the proper use of & and is this similar to the need to use .htmlentities once the Query_String has been set.

Thanks too Feyd but I’m missing the obvious here when you coughed! $_SERVER['REQUEST_URI'] .

B

Posted: Mon Aug 08, 2005 3:34 pm
by s.dot
The ? is only added to the query string because you need it to pass values to the URL

Code: Select all

http://www.domain.com/page.phpvalue1=foovalue2=bar
Would not do anything, except throw you an error.

Code: Select all

http://www.domain.com/page.php?value1=foo&value2bar
Separates the page from variables.