I'm having a problem with the following piece of code. My desire is to have the heading Search results appear when the form is submitted using the 'Search' button, and I'm trying to implement this using the hidden input called searching. The idea is that when the form is submitted, this value is set to 'yes', and that will reveal the heading, but that is not what is happening here. Can anyone please tell me where I've gone wrong?
<html>
<head>
<title>Search</title>
</head>
<body>
<h1>Search</h1>
<form name = "search" action = "<?=$PHP_SELF?>" method = "get">
Search for <input type = "text" name = "find" />
<input type = "hidden" name = "searching" value = "yes" />
<input type = "submit" name = "search" value = "Search" />
</form>
<?php
if ($searching == "yes")
{
echo "<h2>Search results</h2>";
}
?>
</body>
</html>
#chris, you dont have to use a hidden field. you just can check if the form was submitted like this:
if(isset($_GET['search'])) echo 'foo';
#Boris, why should it be more secure to store the global into another var? I would agree if you check the global against a regex or whatever before.
Felix
You need to access the superglobal $_GET:
if($_GET["searching"]=="yes"){
//echo here
}
Unless you're using an old version of PHP, or a really unsecure configure, you're likely not using global variables.
Therefore, you need to first retrieve your $searching variable from the magic $_GET variable.
$searching = $_GET['searching'];
Related
I need to redirect the user to a site that gets the "Short_proj_name" information. So i did this:
<form action="Main.php?short_proj_name=<?=$_REQUEST['short_proj_name']?>" method="post" name="formProjName" target="_blank" id='frmProjName'>
However, upon searching, i found out that there are several reasons NOT to use $_REQUEST, one of them being security and all that. However, simply doing $_POST['short_proj_name'] or $_GET['short_proj_name'] never returns the information i need.
Basically, how would i go about doing an if statement that checks if the $_GET is empty, and does a $_POST instead? Can i do that in the action method of my form?
EDIT:
Adittionally, is it possible that maybe using both $_POST and $_GET return null, yet using $_REQUEST doesnt? As far as i know, $_REQUEST is both get and post together, but none of them returns any information
It works if i do it as so:
if(!empty($_POST['short_proj_name']))
{
$projName = $_POST['short_proj_name'];
}
elseif (!empty($_GET['short_proj_name']))
{
$projName = $_GET['short_proj_name'];
}
else
{
$projName = $_REQUEST['short_proj_name'];
}
But i'm not sure if that solves the security problem at all
I think the answer here is to always use _GET.
A form can actually send both _GET and _POST data based on what you use in the "action" attribute of the form. The action part doesn't care what you set the "method" attribute as.
From what you are showing above, the params are all in the "action" part of the form so these are always passed into _GET anyway. If the inputs were inside the form then those would be received via _POST
Here's an example.
In PHP I would receive $_GET['monkey'] = '1' and $_POST['lion'] = 1
<form method='post' action='receive.php?monkey=1'>
<input type='text' name='lion' value='1' />
<input type='submit' />
</form>
There shouldn't really ever be an instance where you need to check if the answer is in _GET or _POST and as mentioned in a comment, it's quite a security risk to use $_REQUEST or check if it's in _GET or _POST.
Most times, you can just push the page request URL back into the form "action" to ensure all the same _GET params are included on the form _POST.
The big mistake most people do is try to move them from _GET into hidden input fields inside a form thinking they need to do that to carry all that data through.
However, this type of function call might help you but I wouldn't approve of it.
function getRequestParam($param){
if(isset($_GET[$param])){return $_GET[$param];}
if(isset($_POST[$param])){return $_POST[$param];}
return "";
}
you can like
<?php
if(!empty($_POST))
{
$projName = $_POST['short_proj_name'];
}
else
{
$projName = $_GET['short_proj_name'];
}
?>
<form action="Main.php?short_proj_name=<?=$projName ?>" method="post" name="formProjName" target="_blank" id='frmProjName'>
but i think it's ugly
Here is a simple code :
<?php
if (isset($_GET) && $_GET['short_proj_name'] != '')
echo $_GET['short_proj_name'];
else if (isset($_POST) && $_POST['short_proj_name'] != '')
echo $_GET['short_proj_name'];
else
echo $_REQUEST['short_proj_name'];
?>
But if you get the value from a post or get, it can be anything so be careful...
If the "short_proj_name" is a file name, a nasty person can get access to other files just by guessing their names...
I have a form where when the user clicks submit, I need a php file to be ran. below is the form and the php file.
<form action="php_scripts/test.php" method="POST">
<input name="feature" type = "text" placeholder="Feature" />
<input name="feature2" type = "text" placeholder="Feature2" />
<input type="submit" value = "submit"/>
</form>
test.php
<?php
if( isset($_GET['submit']) )
{
$feature = $_POST['feature'];
// do stuff (will send data to database)
}
?>
The problem I am having is that when I press Submit on the form,
if( isset($_GET['submit']) )
Always returns false.
Can anyone explain why that is? Have I totally misunderstood how to implement form sending data to php scripts?
Apologies if I have made any syntax errors and many thanks for any help you can give.
There are a few things wrong with your code.
You're mixing GET with POST methods. Plus, add values to your inputs and your submit button isn't named, which you're trying to use as a conditional statement for.
HTML
<form action="php_scripts/test.php" method="POST">
<input name="feature" value="feature" type = "text" placeholder="Feature" />
<input name="feature2" value="feature2" type = "text" placeholder="Feature2" />
<input type="submit" name="submit" value = "submit"/>
</form>
PHP
<?php
if( isset($_POST['submit']) )
{
$feature = $_POST['feature'];
$feature2 = $_POST['feature2'];
// do stuff (will send data to database)
}
?>
Sidenote: You could/should also check against empty values.
if(isset($_POST['submit'])
&& !empty($_POST['feature'])
&& !empty($_POST['feature2']) ) {...}
Footnotes:
Seeing that you're intending on sending to DB:
I hope you plan on using mysqli with prepared statements, or PDO with prepared statements.
A couple of things:
you're using $_GET instead of $_POST
isset($_POST['submit']) is not a good check, not every browser will send the submit button in its request. (Apart from the fact that you haven't even named the submit button, so it wouldn't come through in any browser, as it stands now.)
it's better to use:
Code:
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
}
You missed to name the submit button. So no entry in the $_POST/$_REQUEST array is given. Depending on the php settings you might want to use array_key_exists() to check for an index in the array as isset might throws an error.
I am developing a form in PHP. There are variables which are fix which will be displayed in the link of the web page. But some variable which are passed to other page are in hidden and are not fixed.
Eg.
http://editform.php?var1=23&var2=34 will have hidden variables hidvar=23
http://editform.php?var1=23 this will not have any hidden variable and also var2 is also not there
I have checked for variable in link with isset function.
if(isset($_GET['var2']))
now how to get all the variables values in another page with all combination of hidden variables and variable in Link.
I am further adding code which let you get the Idea what I need. Below web page is saved as webform.php
<?PHP
if(isset($_GET['YID']))
{ $YRID=$_GET["YID"]; }
else
{ $YRID=0; echo "Variable Missing. Program terminated."; }
?>
// GET THE VALUE OF $PASS;
//GET THE VALUE OF SESSIONID;
//GET THE VALUE OF YID.
<form action="WEBFORM.php?PASS=<?PHP echo $PASS;?>" name="FORM1" METHOD="POST">
<?php
//statement which do some operation using $YRID;
?>
<input type="hidden" name="SESSIONID" VALUE="<?PHP echo $SESID; ?>" />
</FORM>
while (list($key, $value) = each($_REQUEST))
{
echo ($key.' '.$value);
}
Where $key is the variable name, $value is variable value
I have tried the below code
isset($_POST['SUBMIT'])
if form is submitted then above code will check the variable which are hidden.
for checking the hidden variables and for the variable in link i have checked using below code
if(isset($_GET['YID']))
if form is not yet submitted then above code will check the variable.
Users of my website can generate a custom form. All the fields are saved in a database with a unique ID. When someone visits the form, the fields 'name' attribute is field*ID*, for example
<p>Your favorite band? <input type="text" name="field28"></p>
<p>Your Favorite color? <input type="text" name="field30"></p>
After submitting the form, I use php to validate the form, but I don't know retrieve the value of $_POST[field28] (or whatever number the field has).
<?
while($field = $query_formfields->fetch(PDO::FETCH_ASSOC))
{
$id = $field[id];
//this doesn't work!!
$user_input = $_POST[field$id];
//validation comes here
}
?>
If anybody can help me out, it's really appreciated!
Add some quotes:
$user_input = $_POST["field$id"];
I'd suggest taking advantage of PHP's array syntax for forms:
<input type="text' name="field[28]" />
You can access this in php with $_GET['field'][28]
$user_input = $_POST['field'.$id];
Remember that you are using a string for the first part of the input name, so try something like: $user_input=$_POST['field'.$id];.
Also, I would suggest calling them into an array to retrieve all data:
<?php
$user_inputs=array();
while($field=$query_formfields->fetch(PDO::FETCH_ASSOC)) {
$id=$field['id'];
$user_inputs[]=$_POST['field'.$id];
}
?>
Please have a look to the following code:
<?php
$nomeDominio='';
if (isset($_GET['infoDominio']))
{
$nomeDominio = $_GET['nomeDominio'];
echo "I'm getting ".$nomeDominio;
}
if (isset($_POST['atualizarDominio']))
{
echo "I'm posting ".$nomeDominio;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Test Case 99</title>
</head>
<body>
<form name="infoDominio" action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="get">
<input id="nome_dominio" type="text" name="nomeDominio" value="<?php echo $nomeDominio; ?>"/>
<br />
<button name="infoDominio" type="submit">Obtem informacao</button>
</form>
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" name="atualizarDominio" method="post">
<input type="hidden" value="<?php echo $nomeDominio ?>" name="nome-dominio"/>
<br />
<button type="submit" name="atualizarDominio">atualizar domÃnio</button>
</form>
</body>
</html>
You can copy/paste - it will serve as test case.
Like this, IF we get and then we post:
The value from GET WILL NOT pass into POST.
The thing is:
If we just change the action= property of the second form element to, instead of having the $_SERVER['PHP_SELF'], to have just action="";
you will notice that the value WILL pass.
My question is:
Why?
ADDITIONAL NOTE:
This is not something to solve. Instead, this is something to understand why is it happening this way.
Why, if we change the action on the second form to action="", the value stored in $nomeDominio pass from one conditional into another? The code sample can be used by itself, so you can perfectly test this very easily and see what I'm talking about.
{
$nomeDominio = $_GET['nomeDominio'];
echo "I'm getting ".$nomeDominio;
}
if (isset($_POST['atualizarDominio']))
{
$nomeDominio = $_POST['nomeDominio']; //THIS HERE
echo "I'm posting ".$nomeDominio;
}
you are missing the line with comment THIS HERE
You wanted to pass the _GET['nomeDominio'] from the first form to a hidden field of the second form right? Then when we submit the SECOND form you echo nomeDominio's value again (from the second form's hidden field).
You where missing and assignement in the $_POST: $nomeDominio = $_POST['nomeDominio'];
There you go. If you do not undesrtand I do not know how to say differently.
You are being inconsistent. The top form uses nomeDominio for the element name, where as the bottom form uses nome-dominio. My hunch is that is why one shows up and the other does not, you are accessing the wrong name.
EDIT
Further elaboration:
if (isset($_POST['nomeDominio']))
{
echo "I'm posting ".$_POST['nomeDominio'];
}
Replacing that code, and assuming you chose the nomeDominio for the name, that should work.
If I'm understanding you correctly, you want to be able to propagate the $_GET value even through a POST method. You can do this by appending the query string to the action attribute of the second POST form:
<form action="<?php echo htmlentities($_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'] );?>" name="atualizarDominio" method="post">
EDIT: Ok, I think I understand a bit better.
In the first case, (with the second form action as $_SERVER['PHP_SELF']), you are forcing the form to post the data to the page without all the added $_GET data (if you look at the URL, the $_GET data is appended to the file name after the ?), so when you look for $_GET['infoDominio'], it doesn't exist any more, and therefore $nomeDominio is still set to an empty string. When you send the POST form, the $_POST['atualizarDominio'] IS set, and you get the I'm posting message, but with no value set in $nomeDominio.
Now when you change the action of the second form to "", you are telling the browser to send the user to the same page you were just on, which includes all the $_GET data in the URL (check it - you find the ?nomeDominio=whatever&infoDominio= in the address bar still). When you submit the second form after having submitted the first form, all the $_GET data is propagated, and so $_GET['infoDominio'] is set, $nomeDominio is assigned whatever value you put in the first form, and thus shows up in the page after submitting the second form.
The fact that the form name and the submit button name are the same shouldn't affect it.
If I'm still misunderstanding what you're asking, please let me know. Otherwise I hope this helps.
You have done two mistake. First Mistake
if (isset($_POST['atualizarDominio']))
{
$nomeDominio = $_POST['nomeDominio']; ///Here
echo "I'm posting ".$nomeDominio;
}
Second Mistake
<input type = "hidden" value="<?php echo $nomeDominio; ?>" name="nomeDominio"/><br/>
name="nome-dominio" //This is another Mistake
name="nomedominio" //use it