Page 1 of 1

Convert Form 'action' over to href

Posted: Sat May 09, 2009 4:07 am
by Addos
Hi,
I want to replace this:

Code: Select all

<form name="form1" method="post" action="<?php  echo $_SERVER['PHP_SELF']; ?>">
<input name="logout" type="submit" value="Logout when finished">
 <input type="hidden" name="action" value="logout">
</form>
With this or similar (if I can)

Code: Select all

' Logout when finished <a href="' .$_SERVER['PHP_SELF'] .'?action=logout">Logout</a>';
My function is:

Code: Select all

//Stage 2 - The Logout
if ($_POST['action'] == "logout")
    {
    function logout() etc
So I’m not really sure how to approach this as I think that I need to include some sort of Post array in my ‘href’ above but I’m not sure how to go about this or if that is even possible.
Any help would be great
Thanks

Re: Convert Form 'action' over to href

Posted: Sat May 09, 2009 8:09 am
by mickd
You'll just need to get the information using this instead:

Code: Select all

 
if($_GET['action'] == 'logout') {
   logout();
}
 

Re: Convert Form 'action' over to href

Posted: Sat May 09, 2009 8:45 am
by kaisellgren
If you use $_SERVER['PHP_SELF'] on your form like that, you will be vulnerable to XSS attacks.

Re: Convert Form 'action' over to href

Posted: Mon May 11, 2009 11:00 am
by Addos
You'll just need to get the information using this instead:
Thanks a mil that was too obvious but I appreciate the help.
If you use $_SERVER['PHP_SELF'] on your form like that, you will be vulnerable to XSS attacks.
Can you give me a little more on this as I'm not sure about this issue. Are you saying if I use this without cleaning any input then it's risky or should I just avoid this at all costs. Usually I will clean the input but I'd appreciate any pointers on this.
Thanks

Re: Convert Form 'action' over to href

Posted: Mon May 11, 2009 11:18 am
by kaisellgren
Addos wrote:Can you give me a little more on this as I'm not sure about this issue. Are you saying if I use this without cleaning any input then it's risky or should I just avoid this at all costs. Usually I will clean the input but I'd appreciate any pointers on this.
Thanks
In that code you are not cleaning anything. If you want to do it without filtering, use $_SERVER['SCRIPT_NAME'].