So I have a profile page: profile.php?pin=xx, where I use the GET method for determining which profile to display. I am going to test if $_SESSION['pin'] == $_GET['pin'] and if so, give the option to edit profile.
I don't want to write a-whole-nother script and direct the user to another page. So for usability sake, and keeping the server neat so I'm not always guessing which script does what, I want to mix POST and GET. I've done some research and it seems legal, but how?
<form method="post" action="profile.php?pin=xx">
<form method="post" action="<? echo $_SERVER['PHP_SELF']; ?>">
That's all I can think of without really getting the code messy.
If you keep the action attribute empty it will be the same URI including the GET parameters (query-info part of the URI):
<form method="post" action="">
Maybe this is what you're looking for? See HTML <form> tag for a reference about tag and attribute.
If you want to understand how that works: This is a so called Relative URI. It resolves to the Base URI of the document. As the Relative URI is empty, the Base URI is being taken over completely.
Related
I am submitting an HTML form to the same page to handle with PHP and figured out that I can use action="./", which works fine for me so far (in a test environment).
I am a little unsure though because all the examples I find recommend using either
action=""
or
action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>"
I don't want to use action="" because the HTML Standard specifically states
The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces.
Is there any reason not to use action="./"? It seems better (more readable, less PHP) to me but it's confusing me that all the examples I find recommend the PHP approach.
Using ./ works in a lot of cases but can lead to unwanted behaviour if not understood correctly. It's also unnecessary as default behaviour of forms without the action attribute is to submit the form to the same page.
Use <form method="post"> to submit to the same page.
Don't use <form action="" method="post">. This will also submit to the same page but it's invalid according to the HTML standard.
Let's say I have a form on my website homepage: www.mysite.com
Now, the form tag looks like this:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
...
</form>
When that form submits, it does everything it's suppose to. But it also reloads the page with the full filename and extension. So the user will now find the URL in the address bar is: www.mysite/index.php
Is there a way to make the form fire to the same page without adding this extension?
There may be situations where the form is as an include in a footer, so I cann't be specific about the page the form needs to fire to, hense the PHP_SELF code.
That's because $_SERVER['PHP_SELF'] refers to the actual filename of the current script.
Try this:
<form action="" method="post">
An empty action will post back to the current URL.
Try setting the action to #:
<form action="#" method="post">
...
</form>
The # refers to the current page.
Try changing action to #, this post to the current page.
Edit: Mike beat me to it.
Edit 2: It looks like you can leave out the action all together and it will default to the same page.
Edit 3: Mike beat me to that one too.
I've tried <form action="/product/" method="get">, but it doesn't work.
Usually I would have a PHP file such as search.php in the same directory such that <form action="search.php", but I'm implementing a different kind of search which needs to always send the request to the same place.
What I'm getting: (e.g. if I'm on page example.com/product/foo)
example.com/product/foo?id={query};
What I want: example.com/product/?id={query};
Update: Upon instpecting the elements, it seems like it's my action=" product ". Something's up with the slashes. I checked the source code, and it seems fine.
Got it to work after changing double quotes to single quotes... <form action="/product/" method="get">.
Use full url in the action...
eg
<form action="http://example.com/product/" method="get">
...
I've seen <form> opening tags that look like this:
<form action="<?= $_SERVER['REQUEST_URI'] ?>">
Does the action attribute here make any sense?
Wouldn't the form behave the same way without it?
You should always include the action attribute in your form tag if you want a good valid markup (which you should). It is a required attribute (though most browsers will work around it if you don't and assume action="").
Using:
<form action="" method="post">
...will work and just use the current page as the action page.
http://www.w3schools.com/tags/tag_form.asp
Hope this helps.
If you set it to blank you get the same effect (which is what I prefer)
<form action="" method="post"> ....
Yes, you have to include action attribute within <form> tag. See some documentation.
However, you do not need to pass current URI, you can add empty action attribute like that:
<form action="">
...
</form>
and then the form will be sent to the current location (current URI).
What is the benefit of using the super global $_SERVER['PHP_SELF']?
$_SERVER['PHP_SELF'] doesn't (or shouldn't) include the domain name. It includes the path component of the url that the script was called from.
Its use is primarily to introduce cross site scripting vulnerabilities.
you can use it to fill in the action attribute of a form tag:
<form method="post" action="<?=$_SERVER['PHP_SELF']?>"></form>
If I then call your page with:
your-file-that-uses-php-self.php/("><script>eval-javascript-here</script>)
where everything in parens is urlencoded then I can inject the code into your page. If I send that link to somebody else, then I'm executing that code in their browser from your site.
Edit:
To make it safe against XSS attacks, use htmlspecialchars:
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">...</form>
Edit 2: As this $_SERVER variable has been misused so often out there in examples across the internets, don't miss reading your HTML reference: As that URI is the shortest possible relative URI, you can just leave the action attribute empty:
<form action="" method="post" >...</form>