Similar PHP form code: First throws error if $_REQ

2019-06-21 22:49发布

I'm new to PHP so this might be a simple answer. Hopefully I format this correctly and properly to SO standards (still new to the site.)

I'm working on two sets of very similar code submitting form data and using htmlspecialchars to stop XSS attacks in my very basic beginning PHP book via SitePoint. Simple enough, right.

When working with code set 1, I got an error of undefined index once I changed the form action from

<form action="formpost.php" method="post">

to

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

I searched SO and found that I needed to check if $_REQUEST was empty or not in order for there to be no undefined index and to get rid of that error. If someone can explain that portion to me I'd be very greatful. What perimeters does something need to fall under in order to become an Index? thiking outloud, please don't make fun of me I know I probably sound stupid--> Is it an Index because $_REQUEST being a $_POST, $_GET and $_COOKIE is an array and data within an array is indexed, 0,1,2,3,etc.?

I understand $_REQUEST could be possibly empty because no $_REQUEST has been made (I suppose?) but, being that no script has been activated by entering data into the form, why would it be expecting data to already be in $_REQUEST?

Code Set 1 (thows error [undefined index] unless the script checks if $_REQUEST is empty): In this code I'm just allowing the end-user to post their name via the form field or via a string added manually to the url and have it print.

<?php
if( !empty($_REQUEST) )
{
    $firstname = $_REQUEST['firstname'];
    $lastname = $_REQUEST['lastname'];
    echo 'Welcome to our web site, ' .
        htmlspecialchars($firstname, ENT_QUOTES, 'utf-8') . ' ' .
        htmlspecialchars($lastname, ENT_QUOTES, 'utf-8') . '!';
}
?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Query String Link Example</title>
    </head>

    <body>
        <p>
            <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
              <div><label for="firstname">First name:  
                <input type="text" name="firstname" id="firstname"></label>  
              </div>  
              <div><label for="lastname">Last name:  
                <input type="text" name="lastname" id="lastname"></label></div>  
              <div><input type="submit" value="GO"></div>  
            </form>
        </p>
    </body>
</html>

Code Set 2 (does not mind if $_REQUEST is checked or not): In this code I'm doing the same thing, just if it happens to be my exact name, have it print out a special message.

<?php
    $firstname = $_REQUEST['firstname'];
    $lastname = $_REQUEST['lastname'];
        if ($firstname == 'Tommy' && $lastname='Loza') 
        {
            echo 'Welcome to our web site web master!';
        }
        else
        {
            echo 'Welcome to our web site, ' .
                htmlspecialchars($firstname, ENT_QUOTES, 'utf-8') . ' ' .
                htmlspecialchars($lastname, ENT_QUOTES, 'utf-8') . '!';
        }
?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Conditional Query String Link Example</title>
    </head>

    <body>
        <p>
            <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
              <div><label for="firstname">First name:  
                <input type="text" name="firstname" id="firstname"></label>  
              </div>  
              <div><label for="lastname">Last name:  
                <input type="text" name="lastname" id="lastname"></label></div>  
              <div><input type="submit" value="GO"></div>  
            </form>
        </p>
    </body>
</html>

Hopefully I didn't ask too many stupid questions and this post is formatted correctly. Thanks a lot SO community.

Tommy

标签: php forms
3条回答
Rolldiameter
2楼-- · 2019-06-21 23:13

As per you question. There are many scenarios in which we need to check empty request. 1. if we have more then one form with submit button. In that case if we do not validate request it is not possible to distinguish which form has been submitted.

  1. check box and radio box only submitted if thy selected. So it become necessary to check whether check-box / radio box has been selected or not.

3 if you are using form use always post method and validate with $_POST to prevent from XSS attacks because $_REQUEST works for both $_POST and $_GET.

  1. Your second set of code works because text fields always send values when form submitted whether they are remain blank.

I Hope this will help you

查看更多
三岁会撩人
3楼-- · 2019-06-21 23:33

first give the name of submit button and check if it clicked or not and if you are giving form action on same page so no need to give action just leave it blank watch the code below

<?php
if(isset($_POST['submit']))
{
    $firstname = $_REQUEST['firstname'];
    $lastname = $_REQUEST['lastname'];
    echo 'Welcome to our web site, ' .
        htmlspecialchars($firstname, ENT_QUOTES, 'utf-8') . ' ' .
        htmlspecialchars($lastname, ENT_QUOTES, 'utf-8') . '!';
}
?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Query String Link Example</title>
    </head>

    <body>
        <p>
            <form action="" method="post">
              <div><label for="firstname">First name:  
                <input type="text" name="firstname" id="firstname"></label>  
              </div>  
              <div><label for="lastname">Last name:  
                <input type="text" name="lastname" id="lastname"></label></div>  
              <div><input type="submit" value="GO" name="submit"></div>  
            </form>
        </p>
    </body>
</html>
查看更多
Root(大扎)
4楼-- · 2019-06-21 23:34

Basically you can't access a REQUEST index unless it exists.

If you don't use the if statement, it's trying to access the index regardless of whether or not it exists. Therefore, if $_REQUEST['firstname'] does not exist, instead of just defaulting to null, it will give the undefined index error, as $_REQUEST is an array.

If you try and use an undefined variable, it'll say "Undefined Variable" instead of "index".

['firstname'] <- This is the index. If this does not exist, it will error.

Checking if it's empty won't necessarily be the only thing either. I'd also be checking to see if firstname and lastname are set, like so:

if(!empty($_REQUEST) && isset($_REQUEST['firstname']) && isset($_REQUEST['lastname'])){
    //Code here
}

Of course you can then check them individually for the ability to throw individual errors depending on whichever one is missing.

--Edit

Also, you can do the following:

if($_SERVER['REQUEST_METHOD'] == "POST"){
    //code
}

As by default, it is set to "GET".

查看更多
登录 后发表回答