Page 1 of 1

$_POST Var not showing up

Posted: Wed May 20, 2009 1:46 pm
by cpc
Can't seem to make this work properly (file name is form.php referred to itself by <form>). The mail is sent and the file is written as long as I do not include the vars in the URL (Which, of course, does not suit my needs.)

Code: Select all

<?php
 
// Clean incoming variables.
scrub_vars();
 
//get variables from URL
 
$AccountNumber  =   $_GET['AccountNumber'];
$AccountName    =   $_GET['AccountName'];
 
$ref    =   $_SERVER['HTTP_REFERER'];
$script =   "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
 
// Check for valid form submission
if( $_SERVER['REQUEST_METHOD'] == "POST" && $ref == $script ) {
    
// Set mail variables
    $to         =   "user@email.org";
    $subject    =   "form mail subject";
    $headers    =   "From: contactform@" . $_SERVER["SERVER_NAME"] . "\n" .
                    "Reply-To: " . $_POST["email"] . "\n" .
                    "X-Mailer: PHP/" . phpversion();
    $message    =   "A form has been filed on " . $_SERVER["SERVER_NAME"] . "\n" .
                    "\n" .
                    "Account Name: "    . $_POST["$AccountName"]    . "\n" .
                    "Account Number: "  . $_POST["$AccountNumber"]  . "\n" .
                    "Submitted By: "    . $_POST["cert_FullName"]   . "\n" .
                    "Thanks!";
    
    mail($to,$subject,$message,$headers);
    
        $f  =   fopen("_data/recert.csv","a");
        fwrite($f,$_REQUEST["AccountNumber"].",".$_REQUEST["AccountName"].",".$_REQUEST["cert_FullName"]. "\n");
        fclose($f);
        $c  =   fopen("_data/cumulative_recert.csv","a");
        fwrite($c,$_REQUEST["AccountNumber"].",".$_REQUEST["AccountName"].",".$_REQUEST["cert_FullName"]. "\n");
        fclose($c);
} else {
    $message    =   "";
}
 
 
 
// Function to prevent code injection
function scrub_vars() {
    // Clear Get Variables
    if (isset($_GET)){
        foreach ($_GET as $getVarName=>$getVarValue) {
            unset($getVarName);
        }
    }
    // Clear Post Variables
    function clearPost () {
        if (isset($_POST)){
            foreach ($_POST as $postVarName=>$postVarValue) {
                unset($postVarName);
            }
        }
    }
    // Clean the request and get arrays.
    cleanArray($_REQUEST);
    cleanArray($_GET);
}
 
function cleanArray (&$Value) {
    if(is_array($Value)) {
        array_walk ($Value, 'cleanArray');
    } else {
        $Value = eregi_replace("['<'|'%3C'|'<'|'<']+script", "NOSCRIPT", $Value);
        $Value = eregi_replace("['<'|'%3C'|'<'|'<']+\?", "NOPHP", $Value);
    }
    return;
}
 
?>
 
Further in page these appear correctly (with URL VARS):

Code: Select all

     <p class="paragraph">Blah blah text <b><?php echo "$AccountName"; ?></b>Blah blah text </p>
      <p class="paragraph">Your Account Number is: <b><?php echo "$AccountNumber"; ?></b></p>
But when this form is submitted:

Code: Select all

     <form method="POST" action="form.php">
      <table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tr>
          <td width="50%" class="paragraph">Enter your Full Name:</td>
          <td width="50%">&nbsp;</td>
        </tr>
        <tr>
          <td><label>
            <input name="cert_FullName" type="text" id="cert_FullName" size="50" />
            <input name="AccountNumber" type="hidden" value="<?php echo "$AccountNumber"; ?>" />
            <input name="AccountName" type="hidden" value="<?php echo "$AccountName"; ?>" />
            <input name="email" type="hidden" value="mail2@domain.com" />
            
          </label></td>
          <td><label>
            <input name="PROCESS"  type="submit" value="PROCESS"/>
          </label></td>
        </tr>
      </table>      
      </form>
The notice is that the variables are undefined.

Re: $_POST Var not showing up

Posted: Wed May 20, 2009 4:19 pm
by Benjamin
You must set the variables to a know state before you try to use them. You can write conditional code to detect if data has been submitted or not. I recommend using POST rather than GET for this.

Code: Select all

 
if (!empty($_POST['do_action']) && $_POST['do_action'] == 'send') {
    // process form
} else {
    $var_name = null;
}
 
In your form you place a hidden input field:

Code: Select all

 
<input type="hidden" name="do_action" value="send" />