[SOLVED] Simple form using $_SERVER['PHP_SELF']

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

[SOLVED] Simple form using $_SERVER['PHP_SELF']

Post by Draco_03 »

Code: Select all

if(isset($_POST['go'])){
	echo"It worked!!";
} else {

	echo "<center>
	<form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\">
	<select name=\"province\">
	<option>Choose your province</option>
	";
	
	$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
	$result = mysql_query($query);
	
	$num_rows = mysql_num_rows($result);
	
	for ($i=0; $i<$num_rows; $i++){
		$value = mysql_fetch_array($result);
		echo "<option value=\"$value[client_province]\">$value[client_province]</option>";
	}
	echo "
	</select>
	<input type=\"submit\" value=\"Go\" />
	</form></center>";
}
I get my drop down alright but on submit it simply refresh the page.
My guess is that my $_server variable isn't used correctly, but i'm not quite sure what to do.

Any help is welcome
Last edited by Draco_03 on Fri Mar 30, 2007 2:22 pm, edited 1 time in total.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

The form points to itself, so yes, it will "refresh" the page.

$_POST["go"] is not the same as $_POST["Go"] in PHP.

EDIT | You need to put name="go" on your <input /> tag. It's $_POST["$name"] not $_POST["$value"].
Last edited by Chris Corbyn on Fri Mar 30, 2007 2:14 pm, edited 1 time in total.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

The submit button will need a name attribute.
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

Thx :)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Do not use $_SERVER['PHP_SELF'] for the generation of html, it's a serious security risk...

Instead, simply use <form action="#" ... > , it will do exactly the same (post to the originating url).
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care. ;)
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

stereofrog wrote:isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care. ;)
I do care, tell me what's wrong with my $_SERVER['PHP_SELF'].
ps : NEW code that works

Code: Select all

if(isset($_POST['Goprovince'])){
	
	$province = $_POST['province'];
	
	echo "
	<div id="main_title">".$province."</div>
	<div id="main_text">
	<center>
	<form action="city_en.php" method="post">
	<select name="city" class="input_select">
	<option>Choose your city</option>
	";
	
	$query = "SELECT DISTINCT client_city FROM clients WHERE client_province = '$province' ORDER BY client_city";
	$result = mysql_query($query);
	
	$num_rows = mysql_num_rows($result);
	
	for ($i=0; $i<$num_rows; $i++){
		$value = mysql_fetch_array($result);
		echo "<option value="$value[client_city]">$value[client_city]</option>";
	}
	echo "
	</select>
	<input name="Gocity" type="submit" value="Go" />
	</form></center>";
} else {

	echo "
	<div id="main_title">Choose your province</div>
	<div id="main_text">
	<center>
	<form action="".$_SERVER['PHP_SELF']."" method="post">
	<select name="province" class="input_select">
	<option>Choose your province</option>
	";
	
	$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
	$result = mysql_query($query);
	
	$num_rows = mysql_num_rows($result);
	
	for ($i=0; $i<$num_rows; $i++){
		$value = mysql_fetch_array($result);
		echo "<option value="$value[client_province]">$value[client_province]</option>";
	}
	echo "
	</select>
	<input name="Goprovince" type="submit" value="Go" />
	</form></center>";
}
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:

Code: Select all

# WRONG!

echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';

# correct

echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

stereofrog wrote:$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:

Code: Select all

# WRONG!

echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';

# correct

echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Thank you, I will change it

PS : Is using single quote instead of double quote more efficient, or more of a standard ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You can set the action to "#" and it will have the same outcome with less (read no) need to process it to a safe form. :)
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

Draco_03 wrote:
PS : Is using single quote instead of double quote more efficient, or more of a standard ?

Neither, I just used single quotes to avoid extra escaping. When outputting large chunks of html it's sometimes better to close php block and start over, i.e.

Code: Select all

# form is posted AND the value is present
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['province'])) { 
?>
        <div id="main_title"><?=htmlspecialchars($_POST['province'])?></div>
        <div id="main_text">
        <center>
        <form action="city_en.php" method="post">
        etc
<?
# continue php
...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Except you should avoid short tags. ;)
Post Reply