About Submit Button

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
smartic
Forum Newbie
Posts: 3
Joined: Thu Jul 19, 2007 5:37 am

About Submit Button

Post by smartic »

Code: Select all

<html>
<head>
<title>Test</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="indexs.php">
  <input type="text" name="username" id="username" value="<?php echo $_POST['username'];?>"/>
  <br />
  <input type="text" name="pass" id="pass" />
  <br />
  <input type="submit" name="button" id="button" value="Submit" />
</form>
<?php
	$user=$_POST['username'];
	$password=$_POST['pass'];
	$btn=$_POST['button'];
	function handle_errors($input,$msg){
		if($input==""){
			echo "<span class='RED'>".$msg."</span><br />";
	}
}
if($btn){
	handle_errors($user,"Fill user Field");
	handle_errors($password,"Fill password Field");
}
?>

</body>
</html>
i need help in this code i want handle_errors function not to be executed until i press the Submit button . :oops:
Last edited by smartic on Thu Jul 19, 2007 6:52 am, edited 2 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$username and $pass are not defined.

You appear to understand how if statements work, so I'm confused when you are unable to detect the submit button (or rather the submission.) print_r($_POST) and/or print_r($_SERVER) may shed some light.

Also note that without proper handling your echo of $_POST['username'] will at minimum throw a notice, but also open the page to injection.
smartic
Forum Newbie
Posts: 3
Joined: Thu Jul 19, 2007 5:37 am

Post by smartic »

Thank you for replay but how this code can open the page to injection and how can i solve this problem thx.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Blindly echoing $_POST data allows anyone to inject HTML code into your page. At minimum, use htmlspecialchars() on the information.

Also, make sure error_reporting is set to E_ALL, not E_ALL ^ E_NOTICE (or similar variants.)
Post Reply