See if something submitted (best practices 2019)

[StevenOliver]

To execute code on successfully submitting text input, is this "bare minimum" code secure enough?

if(!empty($_POST["textfield_input"])) {
//execute code
}

...or is it best to make sure all 4 of these are confirmed:

if (
($_SERVER['REQUEST_METHOD'] == 'POST') &&
isset($_POST["submit_button_name"] &&
isset($_POST["form_name"] &&
(!empty($_POST["textfield_input"]))
) {
//execute code
}

The html portion is simply:
<form name="form_name" method="post" action="somepage.php">
<input type = "text" name="textfield_input">
<input type="submit" name="submit_ button_name">
</form>

I've searched on the net about this several times, and see different answers, and it looks like each PHP expert has their favorite.... but I would rather know the "best practices" answer to this.

Thank you!!

 

 

Edited November 5, 2019 by StevenOliver

[mac_gyver]

1. detect that a post method form was submitted.
2. trim all input data at once, so that you can detect if all white-space characters were entered (this is the only alteration you should make to the input data.)
3. if more more than one form will submit to the same page, add logic, using your favorite method, to detect a unique field/value from the form, to control which form processing code to execute.
4. validate all input data, storing unique and helpful validation error messages in an array. this array is also an error flag. if the array is empty, there are no errors. if the array is not empty, there are errors.
5. if there are no validation errors, use the submitted form data.

afaik, the form name is not submitted, as the form tag is not an input field.

the submit button may or may not be set, depending on how the form gets submitted and/or which browser is being used, so, don't bother testing it. if you need to distinguish between multiple forms on one page, add a unique key/value as a hidden form field, and detect this in your code.

except for un-checked check boxes and radio buttons, once the form has been submitted, all other form field types will be set, even if they are empty, so there's no point in cluttering up code with isset() statements for these types of fields. you would want to see (during development)/log (on a live/public server) php errors if expected-set form fields are not set, as this indicates either a programming mistake or someone/something submitting their own set of fields.

as an advanced programming subject, dynamically validate and process the submitted form data, by defining an array, with the field names as the array indexes, and an array of elements under each index controlling the validation steps and the type of processing for each field.

none of this has anything to do with security. security is achieved by using data properly in whatever context it is being used in. if used in an sql context, use a prepared query. if used in a html context, apply htmlentities() to the data. if uploading files, store them in a location that is not directly accessible through a http request.

Edited November 5, 2019 by mac_gyver

[StevenOliver]

mac_gyver, thank you! Your answer both answers my question and brings up some good points (e.g. whether a submit button may or may not be set, depending on the browser, etc.). Thank you again!!

[requinix]

- The form is definitely not submitted as a field. Ever. A named form is only useful through Javascript's `document.forms` collection.
- A named submit button is always submitted if that button was used to trigger the submission. That includes clicking it and hitting Enter in most inputs (the first submit button listed in the markup is the one used). Forms serialized through jQuery do not include any buttons, even if the code is running because a button was clicked.
- The code in the first post is incorrect. I don't mean about best practices or security or whatever. It has flaws that were clearly not intended or supposed to be there. Not sure if it was going to be rewritten anyways.

[Barand]

22 minutes ago, requinix said:

That includes clicking it and hitting Enter in most inputs

Tested that with IE, Firefox, Edge and Chrome and that is the case.

I'm pretty sure that older IE versions didn't though.

[requinix]

12 minutes ago, Barand said:

I'm pretty sure that older IE versions didn't though.

Older IE versions didn't do a lot of things they were supposed to.

edit: Technically, hitting Enter to submit a form ("implicit submission") isn't actually an implementation requirement. But it is "strongly encouraged".

Edited November 5, 2019 by requinix

[maxxd]

On 11/5/2019 at 5:58 PM, requinix said:

Older IE versions didn't do a lot of things they were supposed to.

And thankfully, those versions are mostly dead at this point.

Or so I choose to believe, anyway...

[requinix]

8 hours ago, maxxd said:

And thankfully, those versions are mostly dead at this point.

Dead, but not buried: various sources are still giving it 1-9% market share.