Page 1 of 1

[SOLVED] Simple form using $_SERVER['PHP_SELF']

Posted: Fri Mar 30, 2007 2:09 pm
by Draco_03

Code: Select all

if(isset($_POST['go'])){
	echo"It worked!!";
} else {

	echo "<center>
	<form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\">
	<select name=\"province\">
	<option>Choose your province</option>
	";
	
	$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
	$result = mysql_query($query);
	
	$num_rows = mysql_num_rows($result);
	
	for ($i=0; $i<$num_rows; $i++){
		$value = mysql_fetch_array($result);
		echo "<option value=\"$value[client_province]\">$value[client_province]</option>";
	}
	echo "
	</select>
	<input type=\"submit\" value=\"Go\" />
	</form></center>";
}
I get my drop down alright but on submit it simply refresh the page.
My guess is that my $_server variable isn't used correctly, but i'm not quite sure what to do.

Any help is welcome

Posted: Fri Mar 30, 2007 2:13 pm
by Chris Corbyn
The form points to itself, so yes, it will "refresh" the page.

$_POST["go"] is not the same as $_POST["Go"] in PHP.

EDIT | You need to put name="go" on your <input /> tag. It's $_POST["$name"] not $_POST["$value"].

Posted: Fri Mar 30, 2007 2:14 pm
by Benjamin
The submit button will need a name attribute.

Posted: Fri Mar 30, 2007 2:22 pm
by Draco_03
Thx :)

Posted: Fri Mar 30, 2007 3:32 pm
by timvw
Do not use $_SERVER['PHP_SELF'] for the generation of html, it's a serious security risk...

Instead, simply use <form action="#" ... > , it will do exactly the same (post to the originating url).

Posted: Fri Mar 30, 2007 3:36 pm
by stereofrog
isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care. ;)

Posted: Fri Mar 30, 2007 3:42 pm
by Draco_03
stereofrog wrote:isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care. ;)
I do care, tell me what's wrong with my $_SERVER['PHP_SELF'].
ps : NEW code that works

Code: Select all

if(isset($_POST['Goprovince'])){
	
	$province = $_POST['province'];
	
	echo "
	<div id="main_title">".$province."</div>
	<div id="main_text">
	<center>
	<form action="city_en.php" method="post">
	<select name="city" class="input_select">
	<option>Choose your city</option>
	";
	
	$query = "SELECT DISTINCT client_city FROM clients WHERE client_province = '$province' ORDER BY client_city";
	$result = mysql_query($query);
	
	$num_rows = mysql_num_rows($result);
	
	for ($i=0; $i<$num_rows; $i++){
		$value = mysql_fetch_array($result);
		echo "<option value="$value[client_city]">$value[client_city]</option>";
	}
	echo "
	</select>
	<input name="Gocity" type="submit" value="Go" />
	</form></center>";
} else {

	echo "
	<div id="main_title">Choose your province</div>
	<div id="main_text">
	<center>
	<form action="".$_SERVER['PHP_SELF']."" method="post">
	<select name="province" class="input_select">
	<option>Choose your province</option>
	";
	
	$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
	$result = mysql_query($query);
	
	$num_rows = mysql_num_rows($result);
	
	for ($i=0; $i<$num_rows; $i++){
		$value = mysql_fetch_array($result);
		echo "<option value="$value[client_province]">$value[client_province]</option>";
	}
	echo "
	</select>
	<input name="Goprovince" type="submit" value="Go" />
	</form></center>";
}

Posted: Fri Mar 30, 2007 3:54 pm
by stereofrog
$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:

Code: Select all

# WRONG!

echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';

# correct

echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';

Posted: Fri Mar 30, 2007 3:57 pm
by Draco_03
stereofrog wrote:$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:

Code: Select all

# WRONG!

echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';

# correct

echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Thank you, I will change it

PS : Is using single quote instead of double quote more efficient, or more of a standard ?

Posted: Fri Mar 30, 2007 4:22 pm
by feyd
You can set the action to "#" and it will have the same outcome with less (read no) need to process it to a safe form. :)

Posted: Fri Mar 30, 2007 4:51 pm
by stereofrog
Draco_03 wrote:
PS : Is using single quote instead of double quote more efficient, or more of a standard ?

Neither, I just used single quotes to avoid extra escaping. When outputting large chunks of html it's sometimes better to close php block and start over, i.e.

Code: Select all

# form is posted AND the value is present
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['province'])) { 
?>
        <div id="main_title"><?=htmlspecialchars($_POST['province'])?></div>
        <div id="main_text">
        <center>
        <form action="city_en.php" method="post">
        etc
<?
# continue php
...

Posted: Fri Mar 30, 2007 5:02 pm
by feyd
Except you should avoid short tags. ;)