Page 1 of 1

About Submit Button

Posted: Thu Jul 19, 2007 5:40 am
by smartic

Code: Select all

<html>
<head>
<title>Test</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="indexs.php">
  <input type="text" name="username" id="username" value="<?php echo $_POST['username'];?>"/>
  <br />
  <input type="text" name="pass" id="pass" />
  <br />
  <input type="submit" name="button" id="button" value="Submit" />
</form>
<?php
	$user=$_POST['username'];
	$password=$_POST['pass'];
	$btn=$_POST['button'];
	function handle_errors($input,$msg){
		if($input==""){
			echo "<span class='RED'>".$msg."</span><br />";
	}
}
if($btn){
	handle_errors($user,"Fill user Field");
	handle_errors($password,"Fill password Field");
}
?>

</body>
</html>
i need help in this code i want handle_errors function not to be executed until i press the Submit button . :oops:

Posted: Thu Jul 19, 2007 6:04 am
by feyd
$username and $pass are not defined.

You appear to understand how if statements work, so I'm confused when you are unable to detect the submit button (or rather the submission.) print_r($_POST) and/or print_r($_SERVER) may shed some light.

Also note that without proper handling your echo of $_POST['username'] will at minimum throw a notice, but also open the page to injection.

Posted: Thu Jul 19, 2007 6:51 am
by smartic
Thank you for replay but how this code can open the page to injection and how can i solve this problem thx.

Posted: Thu Jul 19, 2007 6:59 am
by feyd
Blindly echoing $_POST data allows anyone to inject HTML code into your page. At minimum, use htmlspecialchars() on the information.

Also, make sure error_reporting is set to E_ALL, not E_ALL ^ E_NOTICE (or similar variants.)