surefire Posted May 21, 2003 Posted May 21, 2003 At the request of another TCH member, I wrote this basic little script... It involves two pages. One html (page1.htm) and the other php (page2.php) page1.htm <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <p> </p> <p> </p> <form name="form1" method="post" action="page2.php"> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="30%">name</td> <td width="15"> </td> <td><input name="name" type="text" id="name"></td> </tr> <tr> <td height="24">email</td> <td> </td> <td><input name="email" type="text" id="email"></td> </tr> <tr> <td>favorite color</td> <td> </td> <td><input name="color" type="text" id="color"></td> </tr> <tr> <td> </td> <td> </td> <td> </td> </tr> <tr> <td colspan="3"><div align="center"> <input type="submit" name="Submit" value="Submit"> </div></td> </tr> </table> </form> <p> </p> </body> </html> page2.php<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <p>Hello, <?php print("$name"); ?>....</p> <p>Thanks for stopping by and telling me that your email is <?php print("$email"); ?> and your favorite color is <?php print("$color"); ?>.</p> <p> </p> <p>Have a nice day.</p> </body> </html> Notice that the form on page1 POSTs to page2.php In otherwords... whatever is typed into the form is sent over to page2.php in the form of variables named after our text boxes (could have been drop down select buttons or whatever). So the variables and $email, $name, $color. All php variables start with "$". (Some exceptions not worth noting) You'll also notice that except for three small snippets of code, page2.php is almost completely HTML. It's also very important that you purposely choose POST in your form instead of GET. Using GET isn't bad... I've heard it's quicker... but the problem is that it sends info in the URL that looks very much like: page2.php?name=Bob&emal=bob@hotmail.com&color=pink Showing these variables in the browser URL window is (usually) not a good thing. One last thing. This script doesn't bother to check that $name is a name or resemble a name... similarly, no checking done with our other variables. DO NOT trust your users to always play nice and input exactly what you want them to in the form. In fact, my experience has taught me to ask several questions: 1- What is the most malicious, code cracking input an evil little mind could type into this form? 2- What is the dumbest thing that someone new to the internet could type into this form? 3- How do I prevent either from ruining my script? Normally, I would use a combination of form validating javascript on the front of the form and back up my security with PHP functions like htmlspecialchars() on the back end. And if it's going to a database, you need addslashes() and stripslashes()... But I digress. That's info for MUCH later. Quote
TCH-JimE Posted May 21, 2003 Posted May 21, 2003 Excellant. One little thing I would like to point out is that page 2 must be saved as a PHP file, otherwise it won't work. Normally I save everything in PHP to save hassle later Jim Quote
surefire Posted May 21, 2003 Author Posted May 21, 2003 Also, if you wanted to have a form on page2.php and POST the form information and the info from page1.htm then here's one way to do it. In the form on page2.php, create hidden variable tags and then use the php print() function to create the necessary html. Example <input name="hiddenField" type="hidden" value="<?php print($name) ;?>"> Quote
surefire Posted May 21, 2003 Author Posted May 21, 2003 Jimuni... as usual... is right. page2 MUST be saved as php. Rule: if your page has <?php in it... it must be saved as php or else the server doesn't know it should be ready to read php. Rule 2: if your page is saved (and served) as whatever.php but doesn't have any php in it... the server doesn't care. You still get to pass go and collect $200. I wrote the last little script to indicate that just having one php page in your site doesn't require changing EVERY page to .php... but you certainly could. I do. Quote
TCH-JimE Posted May 21, 2003 Posted May 21, 2003 Hi, Just another thought, any fields you want to include, whether hidden or not, must be unique. If you have several fields where people fill in there name, say name, surname, forename, they must all be called something different. It also helps that when using say $email that the original field is "email" in the same case! Hopefully that will stop a few hair wrenchings! Jim Quote
freddy Posted May 21, 2003 Posted May 21, 2003 Actually page2.php is not really working the way you have put it there. You forgot to actually get the submitted values. Sending a form using the POST method you use $_POST, using the GET method you should use $_GET ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <?php $name = $_POST['name']; $email = $_POST['email']; $color = $_POST['color']; ?> <p>Hello, <?php echo $name; ?>....</p> <p>Thanks for stopping by and telling me that your email is <?php echo $email ?> and your favorite color is <?php echo $color ?>.</p> <p> </p> <p>Have a nice day.</p> </body> </html> Quote
surefire Posted May 21, 2003 Author Posted May 21, 2003 Freddy... your code is more elegant and also safer from a security standpoint. This is an excellent piece of advice that you've pointed out and I've been meaning to "re-teach" myself this method for safety reasons. Thanks for reminding me. But you said: Actually page2.php is not really working the way you have put it there. You freaked me out so I uploaded the pages to test them out. They work. But without a doubt... your modifications are a significant improvement over my code. Hey... I don't know everything. Quote
freddy Posted May 21, 2003 Posted May 21, 2003 I checked I before I posted ... I have a XPpro with IIS5 webserver running here and it doens't work the way upi have put it there. It might work on linux /apache, I didn't test that... Sorry if I jumped to conclusions p.s. I also don't know everything Quote
surefire Posted May 21, 2003 Author Posted May 21, 2003 No prob... I like your code better and the fact that it doesn't require Apache to work is a plus. I guess you installed it on a non TCH machine... cause I thought all TCH servers were apache. I dunno. Only been here ten days or so. Just to clarify... I wasn't hurt or offended, your modifications are excellent and should absolutely be used. I'm going to be changing my current code. On my sites. From what I've read, this is a feature that was added to php4. Since php4 has been out for a while... it's high time I update my code and take advantage of the benefits. Quote
freddy Posted May 21, 2003 Posted May 21, 2003 This XP server I was talking about is a machine I have running here privatly... so yes it's non TCH I'm only using it for testing puproses... Quote
SEO Posted May 21, 2003 Posted May 21, 2003 Good work guys! Everybody hitting us at once. We need to come up with a name for these P(eople)H(elping)P(eople). Seriously.... very good posts! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.