Page 2 of 4

Posted: Tue Jun 27, 2006 10:25 pm
by shoebappa
That it does, which is prolly the real answer from what I gather from the question. But a good overview of Get and Post none the less... Which leads me to a more appropriate thread topic: GET and POST. Assuming we understand the question, too bad you can't italicize the topic, or can you?

Re: I had a revelation today.

Posted: Wed Jun 28, 2006 12:35 am
by RobertGonzalez
Daedalus- wrote:Forever and ever, whenever I would be writing admin pages, I would POST the form. Now, you can't post to something sexy like a querystring.
This is the part of the entire thread I don't understand. Why don't you just post the form to a named page? And not $PHP_SELF (reliance on PHP setting that global var is bad) or $_SERVER['PHP_SELF'] (because not all server vars are accessible on all servers or secure on all servers - a thread talked about muchly within this community). And if you are taking the time to add the query string vars to the post url, why not just add them as hidden fields to the form so they can post?

I am confused by this whole thing.

Posted: Wed Jun 28, 2006 1:00 am
by daedalus__
I suppose I went about this all wrong. I will keep this simple.

First, I always wanted a user to see nothing but query strings throughout my whole website. This may seem stupid but I just like it. It's how I learned to code through various tutorials and the help of someone whom I consider my mentor.

Let's say I have a weblog, and I am writing the code for a page to add a new entry..

Code: Select all

// add a new entry

if ($_POST)
{
    // grab the post variables and do the databse stuff
}
else
{
    <form action="addweblog.php" method="post">
        <input type="text" name="title" />
        <input type="text" name="body" />
    </form>
}
You have to POST forms to a real page, you can't use querystrings that call includes.

That is how I structure my pages simply because I think that since it is all related, it should all go in the same place, right?

I do not want people to see those blah.php urls. I hate them. I don't want the page my form is being processed on to be completely obvious to the user.

Now, sure, I could just have a page like this:

Code: Select all

// add a new entry

if ($_POST)
{
    // grab the post variables and do the databse stuff
    print '
    <h4>Add another entry</h4>

    <form action="addweblog.php" method="post">
        title: <input type="text" name="title" />
        body: <input type="text" name="body" />
    </form>';
}
else
{
    print '
    <h4>Add an entry</h4>

    <form action="addweblog.php" method="post">
        title: <input type="text" name="title" />
        body: <input type="text" name="body" />
    </form>';
}
I would have to write the same code twice and then they would be able to see the physical address of the page relative to my domain AND I would have to reinclude all the stuff that has the html and css for the page layout.

I used to think, "ugh why not just redirect them". So I did.

After spending alot of time reading, and a bit of time on this forum, I realised that it would be equally stupid IMO.

So. I finally figured out what I think is a good way to do it, yesterday.

Post everything to one page, index.php, have the classes do everything else.

After reading through this thread, I realise that this probably either seems stupid to everyone else, or I am not explaining myself correctly.

If this thread isn't going to be of any use to anyone because of my inability to explain this, then I will simply delete it.

edit: I also just thought that maybe I am just an idiot and I have bad technique. Trying to find out if how I design things is a 'good' way of doing it is part of what I wanted to accomplish with this thread. I like the way I figured out yesterday, it's easy for me. I wrote four 'pages' in the same amount of time it used to take me to write one. Even though making something work best for myself is the point of learning new ways to implement stuff, I still want to know how other people do it, and what the accepted standard is. I'm also starting to think I should just post a .zip with code so everyone can better understand what I mean.

Posted: Wed Jun 28, 2006 1:30 am
by RobertGonzalez
Daedalus- wrote:You have to POST forms to a real page, you can't use querystrings that call includes.
Why not? What stops query string vars from implementing includes?
Daedalus- wrote:Now, sure, I could just have a page like this:

Code: Select all

// add a new entry

if ($_POST)
{
    // grab the post variables and do the databse stuff
    print '
    <h4>Add another entry</h4>

    <form action="addweblog.php" method="post">
        title: <input type="text" name="title" />
        body: <input type="text" name="body" />
    </form>';
}
else
{
    print '
    <h4>Add an entry</h4>

    <form action="addweblog.php" method="post">
        title: <input type="text" name="title" />
        body: <input type="text" name="body" />
    </form>';
}
I would have to write the same code twice and then they would be able to see the physical address of the page relative to my domain AND I would have to reinclude all the stuff that has the html and css for the page layout.
Why wouldn't you...

Code: Select all

<?php
if ($_POST)
{
    // grab the post variables and do the databse stuff
}
?>
    <h4>Add an entry</h4>

    <form action="addweblog.php" method="post">
        title: <input type="text" name="title" />
        body: <input type="text" name="body" />
    </form>
Daedalus- wrote:So. I finally figured out what I think is a good way to do it, yesterday.

Post everything to one page, index.php, have the classes do everything else.

After reading through this thread, I realise that this probably either seems stupid to everyone else, or I am not explaining myself correctly.
This makes perfect sense. I am doing this with my own website right now. I am just wondering how you were taught before. :wink:
Daedalus- wrote:If this thread isn't going to be of any use to anyone because of my inability to explain this, then I will simply delete it.
Don't do that. Threads around here are useful in two different respects. Some teach us what we should do. Others teach us what we should not do. Either way, we are being taught. Thanks for posting.

Posted: Wed Jun 28, 2006 1:54 am
by Christopher
Hey Daedalus, what you have discovered is called a Front Controller. Best thing since sliced bread. There is a lot of information about them around the web and almost every PHP framework uses one. You sound very particular about your code, but here is a simple Front Controller here[url] that I posted a while back.

Posted: Wed Jun 28, 2006 4:29 am
by timvw
shoebappa wrote: There's also the handy $PHP_SELF variable
Using $_SERVER['PHP_SELF'] opens your site for XSS attacks...

Posted: Wed Jun 28, 2006 4:35 am
by timvw
shoebappa wrote:S
Just ? no anchor:

POST /getpost.php?testget1=1&testget2=2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

With anchor:
POST /getpost.php HTTP/1.1
Content-Length: 23

That was in firefox, I knew I didn't like that idea when I first saw it. Hell it doesn't even work in IE either!
Anchors are not submitted.. Which makes it expected behaviour that you don't get to see it at the server-side...
shoebappa wrote: I repeat, don't use action="#?getdata"!!!
I agree. As i already said imply use '#' to make the browser post to the url it's currently displaying.

shoebappa wrote: action="<?php echo $PHP_SELF; ?>?getdata"
Do not use $_SERVER['PHP_SELF'] like this, it makes your form vulnerable for XSS attacks.

Posted: Wed Jun 28, 2006 4:46 am
by timvw
Daedalus- wrote: You have to POST forms to a real page, you can't use querystrings that call includes.
I just don't understand what you're trying to say with: 'you can't use querystrings that call includes'???
Daedalus- wrote: I would have to write the same code twice and then they would be able to see the physical address of the page relative to my domain AND I would have to reinclude all the stuff that has the html and css for the page layout.
Since the only difference is the text between h4 i'd write a function for it. And call it with 'add new entry' and with 'add other entry'.

I'd probably have another parameter that accepts an action for the form... As already mentionned, if you want the users to post to the page they're currently on, you'd have to use the empty string (Or '#' which is the same)

Posted: Wed Jun 28, 2006 5:59 am
by Jenk
Gripe time..

Code: Select all

if ($_POST) {
Is an improper challenge.

Code: Select all

if (!empty($_POST)) {
is the correct challenge for checking if the $_POST array has any indices.

You will also need to specifically check for the values you wish to use, else someone sending dummy POST data will bork your site.

Posted: Wed Jun 28, 2006 3:54 pm
by daedalus__
Jenk, it was pseudo code.

Everyone else, you lost me last page.

arborint, thank you thank you thank you.

I would have never figured out what the hell this is called without your post.

I always, always write my own code. I honestly don't care if God himself wrote the script. I still write my own code. It is something I am very, very particular about. I don't know why but I have to. It just so happens that while I love writing everything myself, I also haven't the slightest clue what I am doing. I started on absolute scratch without instruction. I am not someone who even attended a high school level class on programming and when most people talk to me, I have no idea what they are talking about but I know how to make things work.

The problem with that is that whenever I find myself doing something new, it isn't new. Someone else has done it and there are all these really shiny words that describe it. I don't know about any of it. I just know it is very, very satisfying when I learn something without someone else having to show or tell me.

I am very, very particular about the way I write my code and the way my programs operate. Sometimes I really hate the way I do things but it's the only way I know how. This Front Controller thing saves me. It keeps me from having to do several things that drive me nuts.

I'm glad I know what the hell to call it now lol.

timvw, I don't know what the hell I was talking about either.

but then i remembered

and then i tested something

I am an idiot. I just made two pages, index.php and form.php. form.php posts to ?q=form. It worked. :- /

I think that I was probably working on one or more other problems and for some reason there was some interference.

Posted: Wed Jun 28, 2006 4:13 pm
by RobertGonzalez
Leave it. It is good learning material.

Posted: Wed Jun 28, 2006 4:29 pm
by jayshields
Well I can't make alot of sense of this thread, but for reference, if I've got a form on a page, I use this method:

Code: Select all

if(isset($_POST['submit'])) {
    //handle the form
}

echo '<form action="index.php"'./*self*/' method="post">
<input type="text" name="whatever" />
<input type="submit" name="submit" />
</form>';

Posted: Wed Jun 28, 2006 6:29 pm
by bokehman
timvw wrote:Using $_SERVER['PHP_SELF'] opens your site for XSS attacks...
How?

Posted: Wed Jun 28, 2006 6:35 pm
by bokehman
Jenk wrote:Gripe time..

Code: Select all

if ($_POST) {
Is an improper challenge.
Why? $_POST is always set whatever the request type and if($_POST ) returns false if it is an empty array.

Posted: Thu Jun 29, 2006 4:45 am
by timvw
bokehman wrote:
timvw wrote:Using $_SERVER['PHP_SELF'] opens your site for XSS attacks...
How?
by doing your own research... $_SERVER['PHP_SELF'] XSS returns enough valuable resources...