Page 1 of 1
[SOLVED] Simple form using $_SERVER['PHP_SELF']
Posted: Fri Mar 30, 2007 2:09 pm
by Draco_03
Code: Select all
if(isset($_POST['go'])){
echo"It worked!!";
} else {
echo "<center>
<form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\">
<select name=\"province\">
<option>Choose your province</option>
";
$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
for ($i=0; $i<$num_rows; $i++){
$value = mysql_fetch_array($result);
echo "<option value=\"$value[client_province]\">$value[client_province]</option>";
}
echo "
</select>
<input type=\"submit\" value=\"Go\" />
</form></center>";
}
I get my drop down alright but on submit it simply refresh the page.
My guess is that my $_server variable isn't used correctly, but i'm not quite sure what to do.
Any help is welcome
Posted: Fri Mar 30, 2007 2:13 pm
by Chris Corbyn
The form points to itself, so yes, it will "refresh" the page.
$_POST["go"] is not the same as $_POST["Go"] in PHP.
EDIT | You need to put name="go" on your <input /> tag. It's $_POST["$name"] not $_POST["$value"].
Posted: Fri Mar 30, 2007 2:14 pm
by Benjamin
The submit button will need a name attribute.
Posted: Fri Mar 30, 2007 2:22 pm
by Draco_03
Thx

Posted: Fri Mar 30, 2007 3:32 pm
by timvw
Do not use $_SERVER['PHP_SELF'] for the generation of html, it's a serious security risk...
Instead, simply use <form action="#" ... > , it will do exactly the same (post to the originating url).
Posted: Fri Mar 30, 2007 3:36 pm
by stereofrog
isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care.

Posted: Fri Mar 30, 2007 3:42 pm
by Draco_03
stereofrog wrote:isset($_POST['go']) and $_SERVER['PHP_SELF'] are both wrong, if you care.

I do care, tell me what's wrong with my $_SERVER['PHP_SELF'].
ps : NEW code that works
Code: Select all
if(isset($_POST['Goprovince'])){
$province = $_POST['province'];
echo "
<div id="main_title">".$province."</div>
<div id="main_text">
<center>
<form action="city_en.php" method="post">
<select name="city" class="input_select">
<option>Choose your city</option>
";
$query = "SELECT DISTINCT client_city FROM clients WHERE client_province = '$province' ORDER BY client_city";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
for ($i=0; $i<$num_rows; $i++){
$value = mysql_fetch_array($result);
echo "<option value="$value[client_city]">$value[client_city]</option>";
}
echo "
</select>
<input name="Gocity" type="submit" value="Go" />
</form></center>";
} else {
echo "
<div id="main_title">Choose your province</div>
<div id="main_text">
<center>
<form action="".$_SERVER['PHP_SELF']."" method="post">
<select name="province" class="input_select">
<option>Choose your province</option>
";
$query = "SELECT DISTINCT client_province FROM clients ORDER BY client_province";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
for ($i=0; $i<$num_rows; $i++){
$value = mysql_fetch_array($result);
echo "<option value="$value[client_province]">$value[client_province]</option>";
}
echo "
</select>
<input name="Goprovince" type="submit" value="Go" />
</form></center>";
}
Posted: Fri Mar 30, 2007 3:54 pm
by stereofrog
$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:
Code: Select all
# WRONG!
echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
# correct
echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Posted: Fri Mar 30, 2007 3:57 pm
by Draco_03
stereofrog wrote:$_SERVER['PHP_SELF'] comes from the user and can be manipulated in a way that affects the security of your site (XSS-attacks). Like any other user-writable value, PHP_SELF should always be escaped:
Code: Select all
# WRONG!
echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">';
# correct
echo '<form action="' . htmlspecialchars($_SERVER['PHP_SELF']) . '" method="post">';
Thank you, I will change it
PS : Is using single quote instead of double quote more efficient, or more of a standard ?
Posted: Fri Mar 30, 2007 4:22 pm
by feyd
You can set the action to "#" and it will have the same outcome with less (read no) need to process it to a safe form.

Posted: Fri Mar 30, 2007 4:51 pm
by stereofrog
Draco_03 wrote:
PS : Is using single quote instead of double quote more efficient, or more of a standard ?
Neither, I just used single quotes to avoid extra escaping. When outputting large chunks of html it's sometimes better to close php block and start over, i.e.
Code: Select all
# form is posted AND the value is present
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['province'])) {
?>
<div id="main_title"><?=htmlspecialchars($_POST['province'])?></div>
<div id="main_text">
<center>
<form action="city_en.php" method="post">
etc
<?
# continue php
...
Posted: Fri Mar 30, 2007 5:02 pm
by feyd
Except you should avoid short tags.
