Page 1 of 1

$PHP_SELF and $submit not working

Posted: Wed Dec 28, 2005 3:34 pm
by mallkuma
HawleyJR:Please use tags when Posting PHP Code In The Forums

Hi All,

I am new to PHP and MySQL. I am trying to run this script which basically takes input through a web form, validates, and writes to the database. However, when I use $PHP_SELF and $submit, the page just refreshes itself even after the submit button has been clicked. The script works fine when I use isset($_POST[]) instead of $submit and when I leave the form action unfilled. I am attaching both the codes here. Please let me know why I have issues with $PHP_SELF and $submit.

Thanks in advance!

Kumar

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>

<?php

include("config.php");

 if($submit)  {
      $title = mysql_real_escape_string($_POST['title']);
      $text1 = mysql_real_escape_string($_POST['text1']);
      $text2 = mysql_real_escape_string($_POST['text2']);
              if(!$title){
                     echo "Error: News title is a required field. Please fill it.";
                     exit();
              }
         $result = mysql_query("INSERT INTO news (title, dtime, text1, text2) VALUES ('$title',NOW(),'$text1','$text2')",$connect);

          echo "<b>Thank you! News added Successfully!<br>You'll be redirected to Home Page after (4) Seconds";
          echo "<meta http-equiv=Refresh content=4;url=index.php>";
  }

 else

  {
      ?>
      <br>
      <h3>::Add News</h3>
      <form method="post" action="<?php echo $PHP_SELF ?>">
      Title: <input name="title" size="40" maxlength="255">
      <br>
      Text1: <textarea name="text1"  rows="7" cols="30"></textarea>
      <br>
      Text2: <textarea name="text2" rows="7" cols="30"></textarea>
      <br>
      <input type="submit" name="submit" value="Add News">
      </form>
 <?php
  }
?>

</body>
</html>

*************THE SCRIPT THAT WORKS********************

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<?php

include("config.php");

if (isset($_POST['title']) && isset($_POST['text1']) && isset($_POST['text2'])) 

{
	// Set global variables to easier names
     // and prevent sql injection and apostrophe to break the database.

	$title = mysql_real_escape_string($_POST['title']);
	$text1 = mysql_real_escape_string($_POST['text1']);
	$text2 = mysql_real_escape_string($_POST['text2']);
	
	//check if title field is empty and print an error message
	
	if(!$title)
		{
		echo "Error:  News Title is a required field.  Please fill it.";
		exit();
		}
		
	//run query to insert the form input
	
	$result = mysql_query("INSERT INTO news (title, dtime, text1, text2) VALUES ('$title',NOW(),'$text1','$text2')",$connect)
	or die('Failed to insert into the table' .mysql_error())
	;
	
	echo "<b>Thank you!  Your NEWS has been added successfully!<br> You will be redirected to the home page in 4 seconds";
	
	echo "<meta http-equiv=Refresh content=4; url=index.php>";
} //endif of if($submit)

//if form has not been submitted yet

else

{

?>

<br>
<h3>::Add News</h3>


<form method="post" action="">
      Title: <input name="title" size="40" maxlength="255">
      <br>
      Text1: <textarea name="text1"  rows="7" cols="30"></textarea>
      <br>
      Text2: <textarea name="text2" rows="7" cols="30"></textarea>
      <br>
      <input type="submit" name="clicked" value="Add News">
</form>

<?php
  } //end of else
?>
</body>
</html>
HawleyJR:Please use tags when Posting PHP Code In The Forums

Posted: Wed Dec 28, 2005 6:34 pm
by harrisonad
Where did you get the $submit variable anyway?
try printing the passed variables upon submission using print_r($_POST)[/p]

Posted: Wed Dec 28, 2005 7:26 pm
by wtf
that's becaust register_globals are off on your hosting server you'll either have to set register_globals = on if you have access to php.ini or stick with $_POST/$_GET

Posted: Wed Dec 28, 2005 7:32 pm
by Chris Corbyn
Yep, register_gloabls is off... and damn rightly so! Google for "PHP register globals security" and you'll see. $PHP_SELF should be $_SERVER['PHP_SELF'] --- even that's tainted. $postvarname should be $_POST['postvarname']. PHP can be nastily nice to you... but just be aware of what is good practise and what is not ;)

Thanks all!!

Posted: Wed Dec 28, 2005 9:45 pm
by mallkuma
Thanks all!! The Register_Global was indeed off. However, I did make the script work using $_REQUEST.

Posted: Thu Dec 29, 2005 6:24 am
by Jenk
try not to use $_REQUEST - be specific and use $_GET/$_POST/$_COOKIE instead.