Right now I have a form actioning to itself. There is some code the checks if the user is meant to be there. Is there a way to stop the script from running certain sections of code if it was actioned to itself after pressing submit.
I was thinking about using a SESSION variable to check against but I've gotten all muddle in my head :p
Any ideas?
Sure. If you're self-submitting form actions, just check if $_POST is empty (assuming you're POST'ing to your form)
if (!empty($_POST))
{
...
}
When I do PHP I use an input-element in my form template, like this:
<input type="submit" name="submit" id="submit" value="Login" /></td>
... and in the PHP page, I check if the POST was self-submitted like so:
// if page is not submitted to itself echo the form
if (!isset($_POST['submit']))
{
...
}
This is not secure though. If you want to reap the full benefits of self-submitting, you should try to counter Cross-site request forgery (XSRF) by challenging the client with a random token, and asking the client to repeat it.
Like embedded a hidden input in your form something like this:
<input type="hidden" name="nonce" value="<? echo $NONCE_VALUE; ?>" />
Related
I'm trying to create a cookie for a web page. The cookie value will vary based on the users name. Does PHP have an input type function? I just want to add an input field to the page an then the PHP will use that to define the users name for the page. I have the create cookie code, just can't figure out how to get the name from the screen and insert it to the cookie code. Appreciate any suggestions. This is on a WP website.
Not natively because php does not execute in browser, it executes on your server, but it can be used to write an HTML input.
The syntax would look something like this:
echo '<input type="text" name="myinput">';
or
?>
<input type="text" name="myinput">
<?php
You would then use a form post, CURL, or AJAX function to send the data back to the server where a second PHP script would process the input.
That said, it would help to post your create cookie code, since you may not even need to send it back to the server, but just handle it all in the browser using Javascript in which case your submit button only needs to pass the input to a Javascript function instead of posting it.
Is this something you are looking for?
Here it just takes the value user input from the browser and set it as a cookie
<?php
if(isset($_POST['name']) && !empty($_POST['name'])){
setcookie('setcookie_name',$_POST['name']); // setting cookie
}
?>
<form action="" method="post">
<input name="name" value="" placeholder="Enter your name" />
<input name="submit" type="submit" value="Submit"/>
</form>
I'm trying to make a registration page for an Openfire XMPP server. The easiest route seems to be to use the user service plugin to register accounts, which lets you register users with HTTP requests.
Essentially, I need to make HTTP requests like
http://hostname:9090/plugins/userService/userservice?type=add&secret=passcode&username=kafka&password=drowssap&name=franz&email=franz#kafka.com
Which will register user kafka with password drowssap, name franz, etc.
So it seems to me the best method would be to create an HTML form which collects the user information, then makes the HTTP request. This seems simple enough, but I'm not sure where the best place to start is. PHP? Python? Wget? Lynx? I'm not quite sure how to use those from within an HTML form.
Thanks.
Don't EVER include sensible data that way. That's a GET request. You need a POST request (which doesn't include data in the URL).
Your HTML should be like:
<form action="saveData.php" method="post">
<input type="text" name="username" />
<input type="password" name="password" />
<!-- other inputs here -->
<input type="submit" value="Create user" />
</form>
That form sends POST data to the saveData.php script. That script should process the parameters and redirect to another page.
<?php
// Here process the data the way you want (using data inside $_POST array, i.e. $_POST['username'], $_POST['password'], etc...
// Usually you'd want to save to a database
// When done, redirect to "success" page
header("Location: success.php");
?>
Your success.php page can contain anything:
<?php
echo "User created successfully!";
?>
I understand that I am able to use the POST method for URL parameters to display data according to a specific variable, I know how to make use of the GET method - but I am told that the POST method can be used to hide the part of the URL that is like this.
/data.php?parameter=1234
What is the actual difference of the two methods in terms of URL parameters?
Below is some code that fetches data from a database according to the id of a specific link
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
On a separate page I generate links to the data.php file according to the ID like so:
<?php echo $content['title']; ?>
Forgetting that there are potential SQL injections that can occur through the above code, how would I go about making use of the POST method in order to hide the URL parameters, or at least not display them like this:
http://example.com/data.php?id=1
In order to use POST, you will need to use a <form> tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Using javascript, you could set the parameter input to a different value before posting the form.
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...> in the document.
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUEST at all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.php and parameter=1234 will be in your (hidden) post buffer.
Make sense?
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a> will only ever cause a GET request.
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLY way to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.
Near the top of my page, I have this:
<?php $id = $_GET['id']; ?>
Then I have some form check conditionals that read from POST:
if (isset($_POST['completeSubmit'])) {
//code
}
And finally, I have an HTML form which looks like this:
<form action="<?php echo $_SERVER['PHP_SELF']."?id=$id"; ?>" name="complete" method="post">
<input type="submit" id="textButton" name="completeSubmit" value="[mark as complete]">
</form>
The page is initially accessed by using GET with an id variable like this:
http://website.com/page.php?id=1
All subsequent form submissions (which get redirected to the same page) fail. I know you can't send both GET and POST in the same request, but seeing as my form is submitting to $_SERVER['PHP_SELF']."?id=$id" using POST shouldn't it work? This is my first time trying this so it is quite possible I've overlooked something trivial.
You can use get and post at the same time, but you shouldn't. If you want to continue to send the ID this is as simple as:
<form ...
<input type="submit" ...
<input type="hidden" name="id"
value="<?php echo htmlspecialchars($_GET['id'], ENT_QUOTES); ?>" />
</form>
Of course you can not use GET and POST methods simultaneously.
However you can use a query string while sending a form using POST method, which being used to populate $_GET array.
To find a certain error you have to provide more info. At least 2 things:
how does HTML form look
what do yo see in the query string after posting the form.
and errr...
do you use any header redirects in the form processing?
The problem I have is that I have multiple submit inputs in a single form. Each of these submit inputs has a different value and I would prefer to keep them as submit.
Whenever the user presses Enter, it is as though the topmost submit input is being pressed, and so it is causing problems for the code checking which input was clicked.
Is there a way for PHP to determine whether or not the input was clicked, or was just the input that was selected when the user pressed the Enter key?
You can identify which button was used provided you structure your HTML correctly
<input type="submit" name="action" value="Edit">
<input type="submit" name="action" value="Preview">
<input type="submit" name="action" value="Post">
The $_POST array (or $_GET/$_REQUEST) will contain the key "action" with the value of the enacted button (whether clicked or not).
Now, "clicking" is explicitly a client-side behavior - if you want to differentiate between a click and a keypress, you'll need to add some scripting to your form to aid in that determination.
Edit
Alternatively, you can be "sneaky" and use a hidden submit that should correctly identify a key-pressed for submission, but this probably has some significant impact on accessibility.
<?php
if ( 'POST' == $_SERVER['REQUEST_METHOD'] )
{
echo '<pre>';
print_r( $_POST );
echo '</pre>';
}
?>
<form method="post">
<input type="text" name="test" value="Hello World">
<input type="submit" name="action" value="None" style="display: none">
<input type="submit" name="action" value="Edit">
<input type="submit" name="action" value="Preview">
<input type="submit" name="action" value="Post">
</form>
Roberto,
PHP is server-side technology and therefore runs on the server - so there is no way for it to determine what keys where pressed at the client (aka the user). That is, of course, unless you specifically code the client-side to include such information with the server requests (posting form data is a form of request too).
One way to accomplish that is by using Javascript in your client code.
See this page as a starting point regarding handling form submit events using Javascript.
http://www.w3schools.com/jsref/jsref_onSubmit.asp
You may also have to add a listener for key press events on your page in order to capture the user pressing the Enter key and then recording this information.
http://www.howtocreate.co.uk/tutorials/javascript/domevents offers a discussion on the topic of adding/removing event listeners in Javascript but you have to be very careful when using events because improperly used they can be the source of memory leaks which are hard to debug and cause for unhappy users :)
PHP alone can't determine how the form submit event was triggered, because that happens on the client-side while PHP is a server-side language. You'd have to implement Javascript to listen for -- and log to the server-side -- key presses and mouse clicks, and then analyze that data to find what you're looking for.
Now, PHP can tell which submit input was triggered, as it will appear in the form data while the others will not. Most browsers make the first submit input the default (the one that is triggered on an Enter key press). You could re-order all your submits so as to control which submit is triggered.
PHP can't really know what happened on the client side.
I'd recommend using javascript. When the user do the action, catch it and store it in an hidden field that will be submited with the form. You can also keep track of what input is active and store it in an hidden field.
The code would go a bit like that (i didnt checked the syntax)
<input type="text" onfocus="setCurrent(this)" id="1" />
<input type="hidden" id="hid" />
function setCurrent(o){
$('hid').value = o.id;
}
I think that playing around with events catching and hidden fields should give you the result that you want.
Hope that helps
It's how you write the markup on the client side.
For example, here is one (non-XHTML) way you could do this:
In the HTML file:
<form method="post" action="myform.php" id="myform">
... form items here ...
<input type="submit" name="enter_key" value="true" style="display:none">
<input type="hidden" name="pressed_button" id="pressed_button" value="false">
<input type="button" value="Submit"
onclick="document.getElementById('pressed_button').value='true';document.getElementById('myform').submit();">
</form>
In myform.php:
if ($_POST['pressed_button']=='false') {
// Logic for enter key
} else {
// Logic for button press
}