Jump to content

Recommended Posts

Hello all! I am currently taking a PHP/SQL class and I am stumped on one of my assignments. We are building a form and I have a list of requirements for this step of the project. They are:
1. Submits the form to itself.  
2. Displays the Alien Abduction Form. Remember, your PHP script should be setup to display this page - do not use a separate HTML form. You should be able to copy and paste your code from the html form lab into a function. 
3. Make all the form fields sticky.  If there is an error in filling out the form no input data should be lost. It should redisplay the information entered (including radio buttons)along with any appropriate error messages.
4. Display error messages on the html form (don't take the user to a separate error page).
5. Display a confirmation page once all information has been filled in and submitted. At this point the form should not redisplay.
I am at the point where I need to  make the form fields sticky. I completed an exercise with a MPG calculator to make the fields sticky and that exercise will run correctly from my server. So my logic is the code that worked for one field would work in another. But, when I place the code in my assignment, the php code shows in the browser. I have looked at php.net for help with what would cause this and a few other forums but I can't seem to find this happening to anyone else. I have attached a screenshot of what I am getting along with the code. Thanks in advanced for any help and advice.
<?php
ini_set('display_errors',1);  error_reporting(E_ALL);

$page_title = 'Alien Abduction Form';
include ('header.html');

// Create post variables
if($_SERVER['REQUEST_METHOD'] == 'POST') {
	$firstname = $_POST['fname'];
	$lastname = $_POST['lname'];
	$when = $_POST['when'];
	$length = $_POST['length'];
	$see = $_POST['see'];
	$look= $_POST['look'];
	$do= $_POST['do'];
	$seen= $_POST['seen'];
	$comments= $_POST['comments'];
	$email = $_POST['email'];
	validation(); };

// Create functions to validate first name, last name, email and if they saw fluffy
function validation () { 

if (!empty($_POST['fname'])) {
	$firstname = $_POST['fname'];
	$firstnameerror = NULL;	
	echo '<p>Sorry, you must give your First Name!</p>';}

if (!empty($_POST['lname'])) {
	$lastname = $_POST['lname']; }
	else {
	$lastname = NULL;
	echo '<p>Sorry, you must give your Last Name!</p>'; }

if (!empty($_POST['email'])) {
	$email = $_POST['email']; }
	else {
	$email = NULL;
	echo '<p>Sorry, you must provide an email address!</p>'; }

if (isset($_POST['seen'])) {
	$seen =  $_POST['seen']; }
	elseif ($seen == "no") 
		{ echo '<p>Darn, we really miss him!</p>'; }
	elseif ($seen = NULL) 
		{ echo '<p>Sorry you have not told us if you saw Fluffy or not!</p>' ; }
	else
		 { $seen = NULL ;
		echo '<p>Sorry, you did not tell us if you saw Fluffy or not!</p>'; }}

// create confirmation function

function confirmation () {
	if ($lastname && $firstname && $email && $seen == true) 
	{ echo "<p>Thanks for submitting the form <emp><b>$firstname $lastname</b></emp>!</p>
<p>This is what we got: <br> You were abducted: <b> $when</b> for <b>$length</b></p>
<p>You saw <b>$see</b> aliens that appeared <b>$look</b></p>
<p>You answered: <b>$seen</b> in regards to seeing Fluffy.</p>
<p> Here are your additional comments: <br> $comments</p> \n"; 
	} else { validation() ;}
}
	
echo '<p>Share your story of alien abduction:</p>
<p>Please note, anything with an asertisk (<b>*</b>) is required.</p>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="abductreport">
<!-- First Name Input --!>
<label for="fname">First Name:<b>*</b></label> 
	<input type="text" name="fname" id="fname" placeholder="First Name" value="<?php echo $fname ?>"><br>
	
<label for="lname">Last Name:<b>*</b></label> 
	<input type="text" name="lname" id="lname" placeholder="Last Name"><br>
<label for="email">What is your Email address?<b>*</b></label> 
	<input type="email" name="email" id="email" placeholder="Email"><br>
<label for="when">When did it happen?</label> 
	<input type="date" name="when" id="when"><br>
<label for="length">How long were you gone?</label> 
	<input type="text" name="length" id="length" placeholder="days, months, years?"><br>
<label for="see">How many did you see?</label> 
	<input type="number" name="see" id="see" placeholder="Enter a Number"><br>
<label for="look">Describe them:</label>
	<input type="text" name="look" id="look" placeholder="What was their appearance?"><br>
<label for="do">What did they do you to?</label>
	<input type="text" name="do" id="do" placeholder="Describe what they did"><br>
Have you seen my dog fluffy?<b>*</b>
	<input type="radio" name="seen" id="yes" value="yes">Yes 
	<input type="radio" name="seen" id="no" value="no">No<br>
<img src="fluffy.jpg" alt="Have you seen Fluffy?"><br>
<label for="comments">Anything else you want to Add?</label>
	<textarea rows="3" cols="50" name="comments" id="comments" placeholder="Your comments..."></textarea><br><br>
<input type="submit" value="Report Abduction">
</form>'
?>'

 

post-193140-0-44540800-1458333023_thumb.png

You're trying to switch into PHP mode within a PHP string. This cannot be done, because you already are in PHP mode. A quick fix would be to either insert the variables directly into a double-quoted(!) string or use string concatenation:

<?php

$name = 'ctapp';

echo "Hello {$name}, how are you?<br>";
// or:
echo 'Hello '.$name.', how are you?<br>';

The code in general is very difficult to read, because you're constantly switchting between PHP code and HTML markup. To make the script more readable (for others as well as yourself), keep things separate: Move the PHP code to the top and the HTML to the bottom:

<?php

// code goes here
$name = 'ctapp';

// HTML below:
?>
<!DOCTYPE HTML>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Page title</title>
    </head>
    <body>
        <p>Hello <?= $name ?>, how are you?</p>
    </body>
</html>

The <?= ... ?> syntax is a shortcut for <?php echo ... ?>.

Edited by Jacques1

Thank you so much Jacques1!

I was able to clean things up (even though i'm not too clear on how not mix a little PHP with HTML when the data for the variables come from the user's input) and got everything to be 'sticky'.

Unfortunately, I have a new problem with the confirmation function. I am using an if statement in the function. When I load it to the server, I get an error that there is an undefined variable in the if statement. I declared the variables in the previous function. I thought that if a variable is declared and given a value, it holds that value until changed. Am I wrong in this? Or can't I pass multiple conditionals as parameters? I'm not sure what I am doing wrong! I have attached my updated code along with a screen shot,

post-193140-0-44540800-1458333023_thumb.png
<?php
ini_set('display_errors',1);  error_reporting(E_ALL);

include_once 'header.html';

// Create function for a sticky radio element
function fluffy($value, $name = 'seen') {
	echo '<input type="radio" name="'. $name .'" value="'. $value . '"'; // creates radio element
	
	if (isset($_POST[$name]) && ($_POST[$name] == $value)) { 
		echo ' checked="checked"'; 	} //makes radio button sticky 
		
	echo '>' . $value .' '; // closes radio element
	}

// Create variables and create functions to validate first name, last name, email and if they saw fluffy
function validation () { 
	if($_SERVER['REQUEST_METHOD'] == 'SELF') {
		$firstname = $_POST['fname'];
		$lastname = $_POST['lname'];
		$when = $_POST['when'];
		$length = $_POST['length'];
		$seen = $_POST['seen'];
		$look= $_POST['look'];
		$do= $_POST['do'];
		$seen= $_POST['seen'];
		$comments= $_POST['comments'];
		$email = $_POST['email'];

if (!empty($_POST['fname'])) {
	$firstname = $_POST['fname']; }
	else { $firstname = NULL;	
	echo '<p>Sorry, you must give your First Name!</p>';}

if (!empty($_POST['lname'])) {
	$lastname = $_POST['lname']; }
	else { $lastname = NULL;
	echo '<p>Sorry, you must give your Last Name!</p>'; }

if (!empty($_POST['email'])) {
	$email = $_POST['email']; }
	else {
	$email = NULL;
	echo '<p>Sorry, you must provide an email address!</p>'; }

if (isset($_POST['seen'])) {
		$seen =  $_POST['seen']; }
	elseif ($seen = "no") 
		{ echo '<p>Darn, we really miss him!</p>'; }
	elseif ($seen = NULL) 
		{ echo '<p>Sorry you have not told us if you saw Fluffy or not!</p>' ; }
	else
		 { $seen == NULL ;
		echo '<p>Sorry, you did not tell us if you saw Fluffy or not!</p>'; }
		};
} 

function confirmation() {
	 if ($firstname && $lastname && $email && $seen == true) {
		echo "<p>Thanks for submitting the form <emp><b>$firstname $lastname</b></emp>!</p>
		<p>This is what we got: <br> You were abducted: <b> $when</b> for <b>$length</b></p>
		<p>You saw <b>$see</b> aliens that appeared <b>$look</b></p>
		<p>You answered: <b>$seen</b> in regards to seeing Fluffy.</p>
		<p> Here are your additional comments: <br> $comments</p> <hr> \n"; }
}
echo confirmation();
?>
<form method="POST" action="" name="abductreport">
<label for="fname">First Name:<b>*</b></label> 
	<input type="text" name="fname" id="fname" placeholder="First Name" value="<?php if(isset($_POST['fname']))  echo $_POST['fname']; ?>"><br>
	
<label for="lname">Last Name:<b>*</b></label> 
	<input type="text" name="lname" id="lname" placeholder="Last Name" value="<?php if(isset($_POST['lname']))  echo $_POST['lname']; ?>"><br>

<label for="email">What is your Email address?<b>*</b></label> 
	<input type="email" name="email" id="email" placeholder="Email" value="<?php if(isset($_POST['email']))  echo $_POST['email']; ?>"><br>

<label for="when">When did it happen?</label> 
	<input type="date" name="when" id="when" value="<?php if(isset($_POST['when']))  echo $_POST['when']; ?>"><br>

<label for="length">How long were you gone?</label> 
	<input type="text" name="length" id="length" placeholder="days, months, years?" value="<?php if(isset($_POST['length']))  echo $_POST['length']; ?>"><br>

<label for="see">How many did you see?</label> 
	<input type="number" name="seen" id="seen" placeholder="Enter a Number" value="<?php if(isset($_POST['seen']))  echo $_POST['seen']; ?>"><br>

<label for="look">Describe them:</label>
	<input type="text" name="look" id="look" placeholder="What was their appearance?" value="<?php if(isset($_POST['look']))  echo $_POST['look']; ?>"><br>

<label for="do">What did they do you to?</label>
	<input type="text" name="do" id="do" placeholder="Describe what they did" value="<?php if(isset($_POST['do']))  echo $_POST['do']; ?>"><br>

Have you seen my dog fluffy?<b>*</b>
	<?= fluffy('Yes'); 
		fluffy('No'); ?>
        <br><img src="fluffy.jpg" alt="Have you seen Fluffy?"><br>

<label for="comments">Anything else you want to Add?</label>
	<textarea rows="3" cols="50" name="comments" id="comments" placeholder="Anything else you would like to add"> 
		<?php if(isset($_POST['comments']))  echo $_POST['comments']; ?> 
     </textarea><br><br>
<input type="submit" value="Report Abduction">
</form>

error2.png

Each function has its own scope, which means it cannot “see” variables from the surrounding code (with a few exceptions), and the surrounding code cannot “see” the function's local variables. In other words, all those variables in your validation() function are killed as soon as the function returns, and the confirmation() function has no chance of ever getting the variable values.

 

This is why functions have parameters and a return value. The parameters are for the input, the return value is for the output. In your case, the validation() function should return true if the validation was successful and false otherwise. Then the surrounding code can either display the “Thanks for submitting” message or not. The confirmation() function is unnecessary.

Edited by Jacques1
  • Like 1

I didn't spent a great deal of time but may be something can use.

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);

include_once 'header.html';

$errors     = array();
$firstname  = '';
$lastname   = '';
$email      = '';
$when       = '';
$length     = '';
$seen       = '';
$look       = '';
$do         = '';
$seenfluffy = 'no';
$fluffymessage = '';
$comments   = '';
$confirm = false;




if (isset($_POST['submit'])) {
    
    if (isset($_POST['fname']) && trim($_POST['fname']) != '') {
        $firstname = $_POST['fname'];
    } else {
        $errors[] = "<p>Sorry, you must give your First Name!</p>";
    }
    
    if (isset($_POST['lname']) && trim($_POST['lname']) != '') {
        $lastname = $_POST['lname'];
    } else {
        $errors[] = "<p>Sorry, you must give your Last Name!</p>";
    }
    
    if (isset($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
        $email = $_POST['email'];
    } else {
        $errors[] = "<p>Sorry, you must provide an email address!</p>";
    }
    
    if (isset($_POST['when']) && trim($_POST['when']) != '') {
        $when = $_POST['when'];
    } else {
        $errors[] = "<p>Sorry, you must tell when it happened!</p>";
    }
    
    if (isset($_POST['length']) && trim($_POST['length']) != '') {
        $length = $_POST['length'];
    } else {
        $errors[] = "<p>Sorry, you must tell how long were gone!</p>";
    }
    
    if (isset($_POST['seen']) && ctype_digit($_POST['seen']) && $_POST['seen'] >= 0) {
        $seen = $_POST['seen'];
    } else {
        $errors[] = "<p>How many saw must be zero or positive number</p>";
    }
    
    if (isset($_POST['look']) && trim($_POST['look']) != '') {
        $look = $_POST['look'];
    } else {
        //optional error
        //$errors[] = "<p>Did you see them?</p>";
    }
    
    if (isset($_POST['do']) && trim($_POST['do']) != '') {
        $do = $_POST['do'];
    } else {
        //optional error
        //$errors[] = "<p>Did they do anything to you or not?</p>";
    }
    
    if (isset($_POST['seenfluffy']) && trim($_POST['seenfluffy']) != '') {
        $seenfluffy = $_POST['seenfluffy'];
        if ($seenfluffy == "yes") {
            $fluffymessage = "<p>Wow, you saw Fluffy!</p>";
        } elseif ($seenfluffy == "no") {
            $fluffymessage = "<p>Darn, we really miss him!</p>";
        } else {
            $seenfluffy = 'no';
        }
    }
    
    if ($seenfluffy == '') {
        //$errors[] = "<p>Sorry, you did not tell us if you saw Fluffy or not!</p>";
    }
    
    if (isset($_POST['comments']) && trim($_POST['comments']) != '') {
        $comments = $_POST['comments'];
    } else {
        //optional error
        //$errors[] = "<p>Any comments?</p>";
    }
    
    if (!empty($errors)) {
        foreach ($errors as $error) {
            echo $error;
        }
    }
    
    
    
    
    
    if (empty($errors)) {
		$confirm = true;
        echo "<p>Thanks for submitting the form <emp><b>$firstname $lastname</b></emp>!</p>
            <p>This is what we got: <br> You were abducted: <b> $when</b> for <b>$length</b></p>
            <p>You saw <b>$seen</b> aliens that appeared <b>$look</b></p>
            <p>You answered: <b>$seenfluffy</b> in regards to seeing Fluffy.</p>
            <p> Here are your additional comments: <br> $comments</p> <hr> \n";
    }
    
} //end post submit

if($confirm == false){
?>
   <form method="POST" action="" name="abductreport">
    <label for="fname">First Name:<b>*</b></label> 
        <input type="text" name="fname" id="fname" placeholder="First Name" value="<?php
echo $firstname;
?>"><br>
        
    <label for="lname">Last Name:<b>*</b></label> 
        <input type="text" name="lname" id="lname" placeholder="Last Name" value="<?php
echo $lastname;
?>"><br>
    
    <label for="email">What is your Email address?<b>*</b></label> 
        <input type="email" name="email" id="email" placeholder="Email" value="<?php
echo $email;
?>"><br>
    
    <label for="when">When did it happen?</label> 
        <input type="date" name="when" id="when" value="<?php
echo $when;
?>"><br>
    
    <label for="length">How long were you gone?</label> 
        <input type="text" name="length" id="length" placeholder="days, months, years?" value="<?php
echo $length;
?>"><br>
    
    <label for="see">How many did you see?</label> 
        <input type="number" name="seen" id="seen" placeholder="Enter a Number" value="<?php
echo $seen;
?>"><br>
    
    <label for="look">Describe them:</label>
        <input type="text" name="look" id="look" placeholder="What was their appearance?" value="<?php
echo $look;
?>"><br>
    
    <label for="do">What did they do you to?</label>
        <input type="text" name="do" id="do" placeholder="Describe what they did" value="<?php
echo $do;
?>"><br>
    
    <label for="seenfluffy">Have you seen my dog fluffy?<b>*</b></label>
    <input type="radio" name="seenfluffy"
<?php
if ($seenfluffy == "yes")
    echo " checked ";
?>
value="yes">Yes
<input type="radio" name="seenfluffy"
<?php
if ($seenfluffy == "no")
    echo " checked ";
?>
value="no">No
        <br /><img src="fluffy.jpg" alt="Have you seen Fluffy?"><br />
 <?php
if ($fluffymessage != '') {
    echo $fluffymessage;
}
?> 
    <label for="comments">Anything else you want to Add?</label>
        <textarea rows="3" cols="50" name="comments" id="comments" placeholder="Anything else you would like to add"> 
            <?php
echo htmlspecialchars($comments, ENT_QUOTES);
;
?> 
         </textarea><br><br>
    <input type="submit" name="submit" value="Report Abduction">
    </form>
<?php }?>
Edited by QuickOldCar

You dont want to do this:  if (isset($_POST['submit'])) {

 

It will completely fail under certain conditions. The correct and error proof way is

 

if ($_SERVER['REQUEST_METHOD'] == 'POST')

 

You also dont need to do all those trims. You can trim the whole post array all at once then get rid of all those issets and check for !empty. As far as the form being submitted, all the fields are going to be isset already. You can cut down the code by at least 50%.

Edited by benanamen

As far as the form being submitted, all the fields are going to be isset already.

 

How is this supposed to work? The POST check doesn't tell you anything except that the client has made a POST request.

 

So I'm afraid you can't leave out 50% of the code. Sure, you could just hope that nobody will recognize the lack of error checking, but I wouldn't recommend that, not even for a school project. Any halfway competent teacher will test the code with invalid input, and if that results in a stream of PHP errors, the OP has a problem.

I think you misunderstood what I said because of the way I worded it. I should have said

 

"As far as the form being submitted, all the fields are going to be isset already when the form is submitted."

 

I didn't mean remove the error checking, just the isset, still check for empty. On submit, all the form fields other then check boxes will be isset so there is no point checking for it.

 

It was also in specific response to the code from QuickOldCar. OP had it right.

 

OP Example:

  1. if (!empty($_POST['fname'])) {
  2. $firstname = $_POST['fname'];
  3. $firstnameerror = NULL;
  4. echo '<p>Sorry, you must give your First Name!</p>';}

 

 

 

 

Here is what I meant in code:

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST')
    {
    // Not this. It will always be isset when using provided form
    if (isset($_POST['field']))
        {
        echo 'Field Set<br>';
        }

    // Check for empty instead
    if (empty($_POST['field']))
        {
        echo 'Field Empty';
        }
    }
?>

<form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post">
 <input name="field">
 <input name="submit" type="submit" value="Submit">
</form>
Edited by benanamen

* Actually, OP has a problem in his code I used as an example. He says if firstname is not empty, set $firstname,

Then he says  echo '<p>Sorry, you must give your First Name!</p>';} Which is not right since first name was was not empty.

Edited by benanamen

On submit, all the form fields other then check boxes will be isset so there is no point checking for it.

 

You're hoping that all fields will be set, but that doesn't mean the client will do you that favor. And there can always be bugs in our own code (at least when it's more complex).

 

One of the first things my teacher would have done is remove a field and see what happens. If the program starts spilling random PHP errors messages, then the underlying code is bad, because it cannot handle this situation.

 

Sure, we could again hope that the teacher is incompetent and doesn't understand testing, but I wouldn't recommend that, especially when writing proper code only requires a few more keystrokes. I'd make the code as robust as possible (like QuickOldCar did).

Using the provided form, under what possible conditions would the form fields not be set on POST (other than unchecked checkboxes)? Is there a test case that would prove that out? I get that it is not that much more code, but I am always wanting to know what will fail and under what conditions.

Edited by benanamen

Open Firebug (or whatever developer tools you're using), remove one of the fields and submit the form. Without isset(), you'll get a stream of random errors messages and possibly all kinds of unwanted side-effects. The same can be achieved by sending an empty POST request with cURL.

 

If the form is generated dynamically (which isn't the case here), missing fields can also be caused by template bugs or program errors.

 

Don't make any assumptions about the input.

In this particular case, I deleted the lname field and changed the error check to

 

    if ($_POST['lname'] != '') {
        $lastname = $_POST['lname'];
    } else {
        $errors[] = "<p>Sorry, you must give your Last Name!</p>";
    }

What I get (with error checking on) is undefined index (ONLY) which is exactly to be expected. Firebug not even needed although I did look there. While in development mode the problem isn't going to get past you without you knowing it. In this case, if you leave the isset, you are never going to know that you are either missing the field you expect, or you are doing an error check you dont want. It will just silently be ignored. So in this instance I see it as bad to have the isset.

 

missing fields can also be caused by template bugs

 

In development, you are going to know about this and be able to fix it before going to production. If your dev environment matches the production environment, which ultimately, it should, its not going to unknowingly make it to production.

 

I suppose in a group development with different people doing things it would serve as a safety net. It definitely isn't going to hurt anything to do it that way.

 

Everything I have ever done I was the only programmer so I have never experienced problems from multiple coders. Only once I was coder and another guy did the design .

Edited by benanamen

Curl test case same EXACT result. (Of course need to change the if submit line to if ($_SERVER['REQUEST_METHOD'] == 'POST'))

<?php
$curl = curl_init();
curl_setopt_array($curl, array(
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_URL => 'http://localhost/help.php',
    CURLOPT_USERAGENT => 'cURL Request',
    CURLOPT_POST => 1,
    CURLOPT_POSTFIELDS => array(
        'fname' => 'Joe',
        'email' => '[email protected]'
    )
));
echo $resp = curl_exec($curl);
curl_close($curl);
?>

You've now switched to a different approach. When you check for $_POST['foo'] != '', you effectively are doing an isset() check, except that it's poorly implemented, floods your error log with useless warnings and makes it harder to spot actual defects.

 

Initially, you said that we could just assume that all parameters are present, which is clearly wrong and can lead to severe problems. There's no guarantee that all parts of the code (including libraries) are ready to handle the garbage input you've let through. In fact: According to your own logic, every functionality should just assume that the input is correct and go on, doing who-knows-what until the program finally blows up.

 

Bug-free software is also something that just doesn't exist in reality. No matter how much you test your code, there will be bugs, and your application must be able to deal with that.

 

The only argument which is somewhat valid is that you consider missing fields to be bugs. But even then it makes no sense to rely on the built-in index warning. You'll want a meaningful message in your log, and you'll probably want to abort the script altogether.

 

So no matter how you look at it, leaving out the isset() checks or replacing them with a bad alternative is just wrong. You might use empty(), though, because that is actually an extended isset() check.

You've now switched to a different approach. When you check for $_POST['foo'] != '', you effectively are doing an isset() check, except that it's poorly implemented, floods your error log with useless warnings and makes it harder to spot actual defects.

 

I used quickoldcar's code example instead of what I actually proposed in #9. Nevertheless, the resulting error is exactly the same. If you look at my code in #9 it does use empty as you say.

 

You might use empty(), though, because that is actually an extended isset() check.

 

What I proposed in #9:

// Check for empty instead

if (empty($_POST['field']))

{

echo 'Field Empty';

}

 

 makes it harder to spot actual defects.

 

Using the isset makes it impossible to spot the issue that the expected field is not even in the form at all since it silently hides it. The only way you would ever know is by reading the code and seeing the form field doesn't exist. There will be no error in the logs, no error on the screen with error reporting on. No nothing except all the missing data you thought you were getting.

 

The only argument which is somewhat valid is that you consider missing fields to be bugs. But even then it makes no sense to rely on the built-in index warning. You'll want a meaningful message in your log, and you'll probably want to abort the script altogether.

 

I would call anything that generates a system error a bug even if it is just a notice. It means something is wrong and needs to be fixed. I would say the following is pretty meaningful as to what and where the problem is: Notice: Undefined index: lname in E:\xampp\htdocs\help.php on line 32. Whether you see it in the logs or on the screen it is quite clear. You are also not going to want to abort the script on an undefined index. The worst that is happening using your example of removing the field is your not getting that piece of data. Using isset, you will never know until you look for the data and it is not there. With what I proposed, you are at the least getting the error logged which should be being checked regularly anyways. As you said, there is going to be bugs that will make it to production. Usually found because users do crazy stuff you would never think they would do.

 

In fact: According to your own logic, every functionality should just assume that the input is correct and go on, doing who-knows-what until the program finally blows up.

 

I am pretty sure that is not what I am saying. My comments are specifically relating to whether a site supplied form field will always be isset when POST is submitted or not and if not, under what code provable conditions will it not be. I also tested in Curl and it makes no difference. Besides a form or curl, what other way is someone going to POST your expected form data?

 

I am not saying there is not a case where what I proposed will be a problem, but I am saying I dont know of it and would like to know what it is.

 

Same type of thing when we had our conversation about  if ($_SERVER['REQUEST_METHOD'] == 'POST') VS if ($_POST). You were able to show me specific cases to support $_SERVER['REQUEST_METHOD'] == 'POST being the correct way and how it could fail otherwise. I want to know what I know, not just because someone says it and if I repeat it to someone else, to be able to back it up in code. 

 

Using your example of removing the form field and, as actual code testing shows, how are you going to know that the error check for missing lname is looking for a form field that doesn't even exist if the problem is completely hidden with the isset? 

Edited by benanamen

Note that the empty() function also suppresses index warnings, so if you do want warnings, you'll have to go back to $_POST['param'] != ''. To be honest, I don't care too much about the exact check as long as there is a check. What I object to is the statement that you could just rely on all parameters being present.

 

Like I said, I understand why you would want to log missing fields, but I think relying on “Undefined index” notices is a very poor approach to that.

 

By itself, a missing parameter is a client-side problem. People and bots send all kinds of data in all kinds of ways, and sometimes they simply don't provide all required parameters. Of course a client-side error can be rooted in a server-side bug, but if you want to log that systematically, you'll need a lot more than a few index checks: What if you get a value from a select field which doesn't match any of the options? What if you get a text input which exceeds the field limit? What if you get data which should have been caught by the HTML5 or JavaScript validation? Ignoring those potential rendering issues only because PHP doesn't automatically emit a warning seems arbitrary.

 

Notices also do get overlooked. If your own code never produces any unnecessary error messages, and if your error reporting is always set to -1, that's great. But not everybody is in that position. For example, I had to deal with bigger applications which would literally flood the error log with notices just by running normally. Nobody is going to wade through the entire log to find the one notice which indicates a template. However, people do react to meaningful warnings and fatal errors:

Warning: No POST parameter "lname" provided (missing form field?) in ...

Long story short: If you think input problems should be investigated to detect possible bugs, do it for all input problems, and use proper error messages instead of cryptic PHP notices.

Aaarg! :suicide:  

 Forget everything I said about the index errors. I shouldn't have even been seeing it. That whole part of the thread is mute and explains why I was thinking we were not quite on the same page. We were kinda having two different conversations.

 

I was mistakenly doing if field empty set var=. Should have been if field !empty set var=. Doing it !empty as it should have been in this case has the same effect as the parameter not existing at all, coded error gets set either way and script halts.

 

My normal code pattern is if field false, set error, stop script after all checks run. Quickoldcar was doing if field true set var to post param. I never set vars to a straight POST params unless it has changed for some reason. That's what threw me off.

 

IMO that formula is no good. For one, you are setting pointless variables to POST parameters that haven't changed, and second, if there is just one parameter error, a whole bunch of already useless variables have been set for no reason.

 

I believe the proper flow would be:

  • Trim the POST array in one step
  • Check for empty required fields (has the exact effect if field doesn't exist at all)
  • if error add to error array, halt with user friendly errors from array, else continue
Edited by benanamen

 

Aaarg! :suicide:  

 Forget everything I said about the index errors. I shouldn't have even been seeing it. That whole part of the thread is mute and explains why I was thinking we were not quite on the same page. We were kinda having two different conversations.

 

I was mistakenly doing if field empty set var=. Should have been if field !empty set var=. Doing it !empty as it should have been in this case has the same effect as the parameter not existing at all, coded error gets set either way and script halts.

 

My normal code pattern is if field false, set error, stop script after all checks run. Quickoldcar was doing if field true set var to post param. I never set vars to a straight POST params unless it has changed for some reason. That's what threw me off.

 

IMO that formula is no good. For one, you are setting pointless variables to POST parameters that haven't changed, and second, if there is just one parameter error, a whole bunch of already useless variables have been set for no reason.

 

I believe the proper flow would be:

  • Trim the POST array in one step
  • Check for empty required fields (has the exact effect if field doesn't exist at all)
  • if error add to error array, halt with user friendly errors from array, else continue

 

Is piles of ways can go about it, that's what is great about programming. :happy-04:

 

I don't see a reason to halt when sees any errors, it's just not doing anything with the data yet. Values saved in the form and user can edit or fill in and resubmit the form.

 

I set the variables so can be inserted into the form, only if are set and not blank it changes, otherwise is still blank and adds to error array.

Is piles of ways can go about it, that's what is great about programming.

 

Funny you should say that. I have been learning Python the last couple weeks and there is only one way to do it which I am really liking. I have always thought that there were too many ways to do the same thing in PHP and it should just be one way. On several forums I started a post to see how many ways you could output the standard "Hello World!". There are over a hundred different ways. So it really depends on how you look at it as to whether it is great or not.

 

As far as retaining the correct form values when there is an error, you still can without creating the extra variables like so.

value="<?= !empty($_POST['field']) ? htmlspecialchars($_POST['field']) : '' ?>"

When I said halt the script, I meant the same thing as you.

Edited by benanamen
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.