PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Fri Mar 30, 2007 2:09 pm
Code: Select all
if(isset($_POST['go'])){
echo"It worked!!";
} else {
echo "<center>
<form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\">
<select name=\"province\">
<option>Choose your province</option>
";
$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
for ($i=0; $i<$num_rows; $i++){
$value = mysql_fetch_array($result);
echo "<option value=\"$value[client_province]\">$value[client_province]</option>";
}
echo "
</select>
<input type=\"submit\" value=\"Go\" />
</form></center>";
}
I get my drop down alright but on submit it simply refresh the page.
My guess is that my $_server variable isn't used correctly, but i'm not quite sure what to do.
Any help is welcome
Last edited by
Draco_03 on Fri Mar 30, 2007 2:22 pm, edited 1 time in total.
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098 Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia
Post
by Chris Corbyn » Fri Mar 30, 2007 2:13 pm
The form points to itself, so yes, it will "refresh" the page.
$_POST["go"] is not the same as $_POST["Go"] in PHP.
EDIT | You need to put name="go" on your <input /> tag. It's $_POST["$name"] not $_POST["$value"].
Last edited by
Chris Corbyn on Fri Mar 30, 2007 2:14 pm, edited 1 time in total.
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Fri Mar 30, 2007 2:14 pm
The submit button will need a name attribute.
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Fri Mar 30, 2007 2:22 pm
Thx
timvw
DevNet Master
Posts: 4897 Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium
Post
by timvw » Fri Mar 30, 2007 3:32 pm
Do not use $_SERVER['PHP_SELF'] for the generation of html, it's a serious security risk...
Instead, simply use <form action="#" ... > , it will do exactly the same (post to the originating url).
stereofrog
Forum Contributor
Posts: 386 Joined: Mon Dec 04, 2006 6:10 am
Post
by stereofrog » Fri Mar 30, 2007 3:36 pm
isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care.
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Fri Mar 30, 2007 3:42 pm
stereofrog wrote: isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care.
I do care, tell me what's wrong with my $_SERVER['PHP_SELF'].
ps : NEW code that works
Code: Select all
if(isset($_POST['Goprovince'])){
$province = $_POST['province'];
echo "
<div id="main_title">".$province."</div>
<div id="main_text">
<center>
<form action="city_en.php" method="post">
<select name="city" class="input_select">
<option>Choose your city</option>
";
$query = "SELECT DISTINCT client_city FROM clients WHERE client_province = '$province' ORDER BY client_city";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
for ($i=0; $i<$num_rows; $i++){
$value = mysql_fetch_array($result);
echo "<option value="$value[client_city]">$value[client_city]</option>";
}
echo "
</select>
<input name="Gocity" type="submit" value="Go" />
</form></center>";
} else {
echo "
<div id="main_title">Choose your province</div>
<div id="main_text">
<center>
<form action="".$_SERVER['PHP_SELF']."" method="post">
<select name="province" class="input_select">
<option>Choose your province</option>
";
$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
for ($i=0; $i<$num_rows; $i++){
$value = mysql_fetch_array($result);
echo "<option value="$value[client_province]">$value[client_province]</option>";
}
echo "
</select>
<input name="Goprovince" type="submit" value="Go" />
</form></center>";
}
stereofrog
Forum Contributor
Posts: 386 Joined: Mon Dec 04, 2006 6:10 am
Post
by stereofrog » Fri Mar 30, 2007 3:54 pm
$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:
Code: Select all
# WRONG!
echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
# correct
echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Draco_03
Forum Regular
Posts: 577 Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada
Post
by Draco_03 » Fri Mar 30, 2007 3:57 pm
stereofrog wrote: $_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:
Code: Select all
# WRONG!
echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
# correct
echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Thank you, I will change it
PS : Is using single quote instead of double quote more efficient, or more of a standard ?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Mar 30, 2007 4:22 pm
You can set the action to "#" and it will have the same outcome with less (read no) need to process it to a safe form.
stereofrog
Forum Contributor
Posts: 386 Joined: Mon Dec 04, 2006 6:10 am
Post
by stereofrog » Fri Mar 30, 2007 4:51 pm
Draco_03 wrote:
PS : Is using single quote instead of double quote more efficient, or more of a standard ?
Neither, I just used single quotes to avoid extra escaping. When outputting large chunks of html it's sometimes better to close php block and start over, i.e.
Code: Select all
# form is posted AND the value is present
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['province'])) {
?>
<div id="main_title"><?=htmlspecialchars($_POST['province'])?></div>
<div id="main_text">
<center>
<form action="city_en.php" method="post">
etc
<?
# continue php
...
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Mar 30, 2007 5:02 pm
Except you should avoid short tags.