Jump to content

Recommended Posts

I am a beginner, trying to experiment with different aspects of PHP.

 

I have the notion that everything is more secure if everything is in php, and nothing is in html.

 

Perhaps I am mistaken in my understanding.

 

I would appreciate hearing some opinions on this issue.

 

But, because I believe that everything would be more secure in php, I am trying to take an html form, and find a way to ECHO it in php.

 

It is an example form that I found in google.  It works just fine as HTML, and it is a submit to a php script which will receive the data through $POST.

 

But, I am trying to build all the HTML in $form and then echo it.

 

I am not having much success.

 

What is lacking in what I am doing?

 

Please dont ask me what I really want to do, or suggest some other method.  This is just a learning exercise for me.

 

I want to know if an entire site could be done in php, with no HTML.

 

Take a look at this code and explain to me how it might be possible in php to build all the HTML in a string variable such as $form and echo it.  It just now occurs to me that perhaps $FORM is a reserved word.

 

Perhaps that is the source of my problem.

 

Any, thanks for any help, advice, examples.

 

 

<html>
<body>
<?php
$form = "<html><body>";
$form = $form .  "<form action=\"livereg.php\" method=\"post\">";



$form = $form .  "<table width=\"100%\" border=\"0\"><tr>";


$form = $form .  "<td width=\"300\">Username ( Min 6 chars ):</td>";





$form = $form .  "<td width=\"300\" > <input type=\"text\" name=\"username\" size=\"32\"> * </td>";




$form = $form .  "</tr><tr><td>Password ( Min 6 chars ):</td>";




$form = $form .  "<td><input type=\"password\" name=\"password\" size=\"32\"> *</td>";



$form = $form . "</tr><tr><td>Retype Password:</td><td><input type=\"password\" name=\"password2\" size=\"32\"> *</td>";->



$form = $form .  "</tr><tr><td>Your Email:</td><td><input type=\"text\" name=\"email\" size=\"32\"> *</td>";->



$form = $form .  "</tr><tr><td>Your Full Name:</td><td><input type=\"text\" name=\"name\" size=\"32\"> *</td>";


$form = $form .  "</tr><tr><td>Your Domain:</td><td><input type=\"text\" name=\"domain\" size=\"32\"></td>";


$form = $form .  "</tr><tr><td>Your ZIP Code:</td><td><input type=\"text\" name=\"zip" size=\"5\"> *</td></tr>";




$form = $form .  "<tr><td height=\"21\">Your City:</td><td><input type=\"text\" name=\"city\" size=\"32\"> *</td> <!In this textbox the user will insert his City</tr><tr><td>State/Province:</td><td><input type=\"text\" name=\"state\" size=\"32\"> *</td>";



$form = $form .  "</tr><tr><td>Country:</td><td><input type=\"text\" name=\"country\" size=\"32\"> *</td>";



$form = $form .  "</tr><tr><td>Address:</td><td><input type=\"text\" name=\"address\" size=\"32\"> *</td>";


$form = $form .  "</tr><tr><td>Phone:</td><td><input type=\"text\" name=\"phone\" size=\"32\"></td>";



$form = $form .  "</tr><tr><td> </td><td><input type=\"submit\" value=\"Register\" name=\"submit\"></td>";



$form = $form .  "</tr></table></form></body></html>";

echo($form);

?>
</body>
</html>
[/code}

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/
Share on other sites

try

 

echo $form;

or

print($form);

 

 

 

as for what your doing is no more secure than html.. as all you really doing is getting php to parse a html page!!.

a html page would work just as well

 

heres a littke snip of code to play with

(change the

$access = true;

to

$access = false;

)

 

<?php
$access = true;
if($access)
{
echo "your inn";
}else{
echo "Go away";
}
?>

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287227
Share on other sites

Thanks, MadTechie,

 

I guess the answer is that I am mistaken in my notion that php is more secure than html.

 

I somehow assumed that a script in php would not be readible to a hacker, while an html script could be more easily read, and it would give hints to the hacker.

 

I really like PHP and MySQL, but I am haunted by the notion that no matter WHAT I do, it will not keep a  hacker out. Not that the information I have is so sensitive or valuable.

 

And if I find a login script that is supposed to be complete, then I discover that it makes calls to PEAR, and I cant put PEAR in my Yahoo Business site. 

 

I even posted a question about the security of a folder that is password protected, together with a simple session login, and people reply as though all that too can be hacked.

 

I cant understand how the world can do serious business with PHP and MySQL if it is so vulnerable.

 

And it seems like a site which is secure has some very high paid, high powered guru, doing all kinds of complex coding. If this is true, then that means that secure php and mysql is not available to the average simple user, but only to the highly advanced user, or the user who has fistfulls of money to throw at developers.

 

I read about security techniques involving .htaccess , and placing code OUTSIDE or ABOVE the root.

 

Yahoo! Business sites to not allow .htaccess files to be uploaded or created, and one does not have access to any area outside the site's root.

 

 

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287236
Share on other sites

Firstly, if you want a webpage to display something, then of course, someone has to be able to see what it is displaying. I wonder if your confusion lies with the thought that if you have a page, which has, say:

 

<?php
$password= 'your password';
?>

 

As contents, then someone would be able to view this file and see that exact text. If so, then thats not the case. As long as this is in a php file and the server is parsing php files, then a user would see nothing - as nothing is output to the browser. The only way for someone to see this, would be if they had access to your server, in which case, you have far more serious problems :P

 

Perhaps one more example:

 

<?php
$password = 'your password';
$supplied_password = $_GET['password'];
if($password = $supplied_password){
echo "correct password";
}else{
echo "incorrect password";
}
?>

 

Someone viewing this page would see either the text "correct password" or "incorrect password" depending on what password they passed to the page.

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287237
Share on other sites

Thanks Gingerrobot,

 

Yes I AM UNDER THE IMPRESSION that people cannot see things in a php script, but that they CAN see things in HTML, which is why I was trying to do everything in php, including echo $formcode containing all the html. But I could not get it to work.

 

I guess it is foolish for me to try to avoid html and do everything in php.

 

Here is the tutorial I was working on which started all my questions about php and echo and html.

 

http://www.tutorialstream.com/tutorials/html/user-registration-system/

 

It looks like a useful tutorial, which shows you how to collect info in HTML and pass it to php for processing.

 

But when I ran the first script as is, the //comment lines displayed in the browser.

That got me to wondering how one might put it in php so that the comments would be honored as comments.

 

Anyway, I deleted all the comments, and the html page works fine.

 

I guess the moral to the story is that it does not matter if people can see your html script, so long as it does not reveal passwords, etc.

 

I keep asking people here about the security of the password that can be placed on a folder at a website.  Is THAT terribly vulnerable to hacker attack.  Because what I am doing does not require the general public to be able to visit and register.  I can have only 50 users, and manually provide them with logins to the folder.  And then, in the folder the scripts would have a session login, and each page would be protected by checking for the session login.  How secure would such an application be, with folder password, and session password?

 

It is depressing to think that nothing is foolproof and everything is vulnerable to attack.

 

Thanks!

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287302
Share on other sites

I took a look at the website - god knows what the whole comment thing they are doing is. Apparently they are trying to mix php comments with HTML. You CAN comment in html:

 

<!--comment here -->

Although, of course, someone can see these comments by viewing the source. As far as php is concerned, a user cannot see anything that is being parsed by php. They can only see what is sent to the browser.

 

As for your second question, its all a matter of how you store the passwords etc, and making sure you validate users properly. If you, for example, stored all of the passwords for a user in a text file that was accessible from the web, then it would be vulnerable. If you stored the passwords as variables in a php file, or in a database, then the storage is not vulnerable. You must also remember to check all data provided by the user, incase there are any nasty people out there trying to gain access to your system without authorization.

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287309
Share on other sites

Hey,

 

On the topic of echoing HTML vs. completely separating html from php, is there any advantages to doing one over the other?

 

For example:

 

Is <?php echo("<div>Hello my name is $name</div>"); ?> better than <div>Hello my name is <?php echo($name); ?></div>?

 

I always tend to use the first option but really only because I got into the habit of doing it. What do you guys use and why?

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287333
Share on other sites

Well, on the face of it, there is no differance. However, i believe that echoing the HTML will be slower, as php has to parse the entire string for variables etc. Wether or not there is any differance in speed and server usage between echoing something in single quotes(php does not parse this, hence why you cannot echo variables inside single quotes) and exiting php and typing your HTML, ive no idea.

 

As for what i do, if its mainly html that im displaying, ill exit from php - saves worrying about escaping quotes etc, whereas if what im displaying is fairly short, and has lots of variables in it, then ill stay in php and echo. Seems easiest this way to me. Just personal preference though.

 

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287363
Share on other sites

GingerRobot:

 

As I proceed further in the above tutorial link, I find that the php script that is called, livereg.php, has many problems.  I got the html portion to work by removing all the // comments.  Next, I have it call a small php script, testit.php, in which I test to see that I can access several of the $POST parameters.

 

<!- <form action="livereg.php" method="post"> ->
<form action="testit.php" method="post"> 

<table width="100%" border="0">
<tr>
    <td width="300">Username ( Min 6 chars ):</td>
    <td width="300" > <input type="text" name="username" size="32"> * </td>
</tr>
<tr>
    <td>Password ( Min 6 chars ):</td>
    <td><input type="password" name="password" size="32"> *</td>
</tr>
<tr>
    <td>Retype Password:</td>
    <td><input type="password" name="password2" size="32"> *</td>
</tr>
<tr>
    <td>Your Email:</td>
    <td><input type="text" name="email" size="32"> *</td>
</tr>
<tr>
    <td>Your Full Name:</td>
    <td><input type="text" name="name" size="32"> *</td>
</tr>
<tr>
    <td>Your Domain:</td>
    <td><input type="text" name="domain" size="32"></td>
</tr>
<tr>
    <td>Your ZIP Code:</td>
    <td><input type="text" name="zip" size="5"> *</td> 
</tr>
<tr>
    <td height="21">Your City:</td>
    <td><input type="text" name="city" size="32"> *</td> 
</tr>
<tr>
    <td>State/Province:</td>
    <td><input type="text" name="state" size="32"> *</td> 

</tr>
<tr>
    <td>Country:</td>
    <td><input type="text" name="country" size="32"> *</td>

</tr>
<tr>
    <td>Address:</td>
    <td><input type="text" name="address" size="32"> *</td>

</tr>
<tr>
    <td>Phone:</td>
    <td><input type="text" name="phone" size="32"></td>

</tr>
<tr>
    <td> </td>
    <td><input type="submit" value="Register" name="submit"></td> 
</tr>
</table>
</form>



 

<html>
<head>
        
<title>Untitled</title>

</head>
<body>

<?
$user = $_POST['username'];
$pass = $_POST['password'];

echo($user);
echo "<br />";

echo($pass);

echo "<br />";

echo("Hello!");

echo "<br />";




?>

</body>
</html>


 

 

I suppose this simple type of input form and php processing would make it difficult to validate data.

 

I do have SAMS Teach Yourself PHP... by Julie Meloni.  Ch. 18 has all the code to create an online address book. The data entry script is one of those PHP_SELF scripts that keeps invoking itself.

 

I guess my question is the best type of script to allow for editing the data, and inserting it into the table only when it is correct.

 

Does the info in $_POST persist indefinitely, regardless of how many times the script calls itself, to allow for editing & error prompts.  And if it DOES persist, then what does one do to clear it out.

 

I suppose one could have different scripts call each other during the edit process, if there is one place where the data is held/shared.  I suppose one could use a mysql table for that also.

 

 

Thanks!

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287556
Share on other sites

After searching in Google for ABOUT AN HOUR, I finally found this code which is a fairly straightforward example of a type of form validation. I must say I am shocked to discover that it is so difficult to find such basic tutorial examples.  I would think they would be easier to find.

 

Now, I just need to study it and make certain I understand what is going on in the logic (what makes it work).

 

<html>
<body>

<h3>PHP User Registration Form Example</h3>

<?
// only validate form when form is submitted
if(isset($_POST["submit_button"])){
$error_msg='';
if(trim($_POST["username_input"])=='' || strlen(trim($_POST["username_input"])) < 6 || strlen(trim($_POST["username_input"])) > 15) {
	$error_msg.="Please enter a username between 6 to 15 characters long<br>";
}
if(trim($_POST["password_input"])=='' || strlen(trim($_POST["password_input"])) < 4) {
	$error_msg.="Please enter a password at least 4 characters long<br>";
}
if(trim($_POST["email_input"])=='') {
	$error_msg.="Please enter an email<br>";
} else {
	// check if email is a valid address in this format username@domain.com
	if(!ereg("[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]", $_POST["email_input"])) $error_msg.="Please enter a valid email address<br>";
}

// display error message if any, if not, proceed to other processing
if($error_msg==''){
	// other process here
} else {
	echo "<font color=red>$error_msg</font>";
}
}
?>

<form method="POST" action="registration.php">
<table border="1" cellpadding="7" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
  <tr>
    <td width="16%" align="right">First Name</td>
    <td width="84%">
    <input type="text" name="first_name_input" size="20" value="<? echo $first_name_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right">Last Name</td>
    <td width="84%">
    <input type="text" name="last_name_input" size="20" value="<? echo $last_name_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right">Username</td>
    <td width="84%">
    <input type="text" name="username_input" size="20" value="<? echo $username_input; ?>"> (between
    6 to 15 characters)</td>
  </tr>
  <tr>
    <td width="16%" align="right">Password</td>
    <td width="84%">
    <input type="password" name="password_input" size="20" value="<? echo $password_input; ?>">
    (must be at least 4 characters)</td>
  </tr>
  <tr>
    <td width="16%" align="right">Email</td>
    <td width="84%">
    <input type="text" name="email_input" size="20" value="<? echo $email_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right"> </td>
    <td width="84%">
    <input type="submit" value="   Register   " name="submit_button"></td>
  </tr>
</table>
</form>

</body>
</html>

 

I saved this code with the name registration.php.  As a beginner, I get confused about when to save as .php and when to save as .html.  But this works when saved as .php

 

I see at the top of the code that the validation only executes AFTER the submit button has been clicked

 

[b]if(isset($_POST["submit_button"]))[/b]

 

I am not quite certain I understand HOW the button is set with a value, or what that value contains.

 

I can see how error.msg is built up with each test, for display later.

 

I see how the form method is POST and it is NOT a PHP_SELF

 

I see how the value of each field is an echo of the $value captured at some point, so that the form persists until all fields have been corrected.

 

What I am having a HARD TIME seeing (understanding) is how the fields entered, such as

<input type="password" name="password_input" size="20" value="<? echo $password_input; ?>">

get assigned to the $POST variables.  I guess that is just automatic when you define a form as POST.

 

 

I find the following confusing:

 

if($error_msg==''){
	// other process here
} else {
	echo "<font color=red>$error_msg</font>";
}

 

OK, if there are no errors, then there is a place for further processing, if you need it.

But WHEN does the submit button actually pass control over to the program being called.

 

Now I just HAPPENED to save this as registration.php. So does that mean it is calling itself each time, and working just like php_self?  I guess it DOES mean that, because I just now changed the ACTION name to registration2.php, and when I click submit, it says program not found.

 

So, what is the difference between making it a PHP_SELF, and simply having the ACTION reload the program.  And, I guess this means that the $POST variable persists, so how does one reset it?

 

And when there are finally no more errors, then does one simply use the php code in the first part to simply jump to another program or menu?

 

These are some of my beginner's questions.

 

Thanks!

 

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287585
Share on other sites

I just now did an interesting experiment to answer some of my questions about $_POST persistance.

 

First, I saved the above PHP User Registration Form Example as pos1.php

 

I changed the SUBMIT to post2.php, which successfully retrieved the $_POST variables. But when that program called post3.php, the $_POST variables were null.

 

BUt bear in mind that post2.php and post3.php were not FORM/SUBMIT types.

 

Next, I copied post1.php as post1a.php, and changed the SUBMIT in post1.php to post1a.php.

Then I copied post1a.php as post1b.php, and changed the SUBMIT in post1a.php to invoke post1b.php.

In turn, post1b.php when submitted invoikes post1a.php.  I changed the heading titles to include the program name, so I could tell what the current browser was displaying.  Sure enough, the $_POST variables persist no matter how many times I bounce back and forth between post1a.php and post1b.php.

 

Now, it seems that if my FORM/POST submits to a php script which is not a FORM/POST/SUBMIT type, then the $_POST variables are accessible to it, but once it jumps to some other php script, then the $_POST variables are reset.

 

There must be some function or command to reset $_POST explicitly.

 

My next experiment will be to have post1.php invoke post2.php, which will simply get and display the $_POST variables, and then RETURN to post1.php, to see if those variables persist.

What I discover now, doing THIS experiment, is that the $_POST variables do NOT persist when I return from pos2.php to post1.php

 

post1.php

<html>
<body>

<h3>PHP User Registration Form Example</h3>

<?
// only validate form when form is submitted
if(isset($_POST["submit_button"])){
$error_msg='';
if(trim($_POST["username_input"])=='' || strlen(trim($_POST["username_input"])) < 6 || strlen(trim($_POST["username_input"])) > 15) {
	$error_msg.="Please enter a username between 6 to 15 characters long<br>";
}
if(trim($_POST["password_input"])=='' || strlen(trim($_POST["password_input"])) < 4) {
	$error_msg.="Please enter a password at least 4 characters long<br>";
}
if(trim($_POST["email_input"])=='') {
	$error_msg.="Please enter an email<br>";
} else {
	// check if email is a valid address in this format username@domain.com
	if(!ereg("[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]", $_POST["email_input"])) $error_msg.="Please enter a valid email address<br>";
}

// display error message if any, if not, proceed to other processing
if($error_msg==''){
	// other process here
} else {
	echo "<font color=red>$error_msg</font>";
}
}
?>

<form method="POST" action="post1a.php">
<table border="1" cellpadding="7" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
  <tr>
    <td width="16%" align="right">First Name</td>
    <td width="84%">
    <input type="text" name="first_name_input" size="20" value="<? echo $first_name_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right">Last Name</td>
    <td width="84%">
    <input type="text" name="last_name_input" size="20" value="<? echo $last_name_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right">Username</td>
    <td width="84%">
    <input type="text" name="username_input" size="20" value="<? echo $username_input; ?>"> (between
    6 to 15 characters)</td>
  </tr>
  <tr>
    <td width="16%" align="right">Password</td>
    <td width="84%">
    <input type="password" name="password_input" size="20" value="<? echo $password_input; ?>">
    (must be at least 4 characters)</td>
  </tr>
  <tr>
    <td width="16%" align="right">Email</td>
    <td width="84%">
    <input type="text" name="email_input" size="20" value="<? echo $email_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right"> </td>
    <td width="84%">
    <input type="submit" value="   Register   " name="submit_button"></td>
  </tr>
</table>
</form>

</body>
</html>

 

 

post1a.php

<html>
<body>

<h3>PHP User Registration Form Example POST1A</h3>

<?
// only validate form when form is submitted
if(isset($_POST["submit_button"])){
$error_msg='';
if(trim($_POST["username_input"])=='' || strlen(trim($_POST["username_input"])) < 6 || strlen(trim($_POST["username_input"])) > 15) {
	$error_msg.="Please enter a username between 6 to 15 characters long<br>";
}
if(trim($_POST["password_input"])=='' || strlen(trim($_POST["password_input"])) < 4) {
	$error_msg.="Please enter a password at least 4 characters long<br>";
}
if(trim($_POST["email_input"])=='') {
	$error_msg.="Please enter an email<br>";
} else {
	// check if email is a valid address in this format username@domain.com
	if(!ereg("[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]", $_POST["email_input"])) $error_msg.="Please enter a valid email address<br>";
}

// display error message if any, if not, proceed to other processing
if($error_msg==''){
	// other process here
} else {
	echo "<font color=red>$error_msg</font>";
}
}
?>

<form method="POST" action="post1b.php">
<table border="1" cellpadding="7" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
  <tr>
    <td width="16%" align="right">First Name</td>
    <td width="84%">
    <input type="text" name="first_name_input" size="20" value="<? echo $first_name_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right">Last Name</td>
    <td width="84%">
    <input type="text" name="last_name_input" size="20" value="<? echo $last_name_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right">Username</td>
    <td width="84%">
    <input type="text" name="username_input" size="20" value="<? echo $username_input; ?>"> (between
    6 to 15 characters)</td>
  </tr>
  <tr>
    <td width="16%" align="right">Password</td>
    <td width="84%">
    <input type="password" name="password_input" size="20" value="<? echo $password_input; ?>">
    (must be at least 4 characters)</td>
  </tr>
  <tr>
    <td width="16%" align="right">Email</td>
    <td width="84%">
    <input type="text" name="email_input" size="20" value="<? echo $email_input; ?>"></td>
  </tr>
  <tr>
    <td width="16%" align="right"> </td>
    <td width="84%">
    <input type="submit" value="   Register   " name="submit_button"></td>
  </tr>
</table>
</form>

</body>
</html>

 

 

post2.php

 

<html>
<head>
        
<title>Untitled</title>

</head>
<body>

<?
$user = $_POST['username_input'];
$pass = $_POST['password_input'];

echo($user);
echo "<br />";

echo($pass);

echo "<br />";

echo("Hello!");

echo "<br />";




?>
<a href="post3.php">post1.php</a>
</body>
</html>

 

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287597
Share on other sites

I just had an idea of one way to pass parameters which persist between many different scripts

 

When a user logs into a session

 

one can access the session_id()  which should be unique.

 

That could be stored in a MySQL table called, let's say, parameters. You could have a field for each parameter that you need for your application.  As someone moves from script to script, each script uses the session_id to retrieve the parameters.

 

The funny thing is that just now I read up on global variables, which were turned off at a certain point by the php community, and superglobals.  Well, if one were to impliment some proprietary scheme using a mysql table, then you would not have to worry about choosing a feature which would one day be disabled.

 

Also, you would have an audit trail, if you wanted, of what the user had done during each session. Or if you didnt want that, then you could delete the row during logout.

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-287600
Share on other sites

I will continue to search for php_self validation scripts, until I feel I have a model that I am comfortable working with.

 

This link seems very helpful, and answers some of my questions about the persistence of variables.

 

http://www.hosting.vt.edu/tutorials/phpmysql/#validation

 

Notice that it even mentions the idea of using a mysql database as a repository for persistent variables.

 

Excerpt:

 

Making data persistent

 

The HyperText Transfer Protocol "has a bad memory" (HTTP is a so-called stateless protocol). When a PHP script receives data from an HTML form, this data is only available for the duration of the script's execution. This means that by default you can only process the data right after it has been sent but no later. Obviously, this causes problems, for example, when you want your application to "remember" a user's login-ID for the duration of a whole session. There are several ways to address this problem: using hidden HTML form variables, using session management (via cookies and URLs) and using a database. I will not further discuss the use of the HTML tag <input type="hidden"... since it carries many risks to a web application's security (since it can be faked easily).

 

<?php
  if (isset($_POST['submit'])) {
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    if ( !empty($firstname) && !empty($lastname) ) {
      Header("Location: inputsuccess.php");
    }
    else { $error = true; }
  }
?>
...
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<?php
  if ( $error && empty($firstname) ) {
    echo '<span style="color:red">';
    echo 'Error! Please enter a first name.</span><br>';
  }
?>
  First name: <input name="firstname" type="text" 
    value="<?php echo $firstname; ?>">
  <br>
<?php
  if ( $error && empty($lastname) ) {
    echo '<span style="color:red">';
    echo 'Error! Please enter a last name.</span><br>';
  }
?>
  Last name: 
  <input name="lastname" type="text" value="<?php echo $lastname; ?>">
  <br>
  <br>
  <input type="submit" name="submit" value="Submit">
</form>
...

 

As I examine the above sample code, I think I see an answer to one of my questions, namely, that the php_self keeps loading itself until some line of code jumps to some other program.

 

 

    if ( !empty($firstname) && !empty($lastname) ) {
      Header("Location: inputsuccess.php");
    }
    else { $error = true; }

 

Regarding the use of cookies, I get the feeling that, since not all computers have cookies enabled, therefore, it is better to avoid the use of cookies, and stay with sessions, or mysql.

 

Link to comment
https://forums.phpfreaks.com/topic/57956-html-echoed-from-php/#findComment-288069
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.