[Resolved] form w/ register_globals = off

hi-liter

With register_globals = on, passing the variables from a form is very easy, but i understand the security issues with global variables, and therefore do not wish to use them.

My question is what is the best way to code w/o global variables for forms?

Below is an example that works with register_globals = on:

<?php
// a.php
//how do i accomplish this without register_globals = on?
if (!isset($submit)) {
echo ("
<form action='a.php' method='post'>
<input type='text' name='foo'>
<input type='submit' name='submit' value='Submit'>
</form>
");
}
else {
echo ("
You entered ''$foo''.
<form action=javascript:history.back(-1);>
<input type=submit value=back>
</form>
");
}
?>

I've read the posts here regarding $POST, but it seems they are for individual fields ($POST["form_text_box_name"]), what about the entire form?

I'm running Apache 2.0.43 with PHP 4.2.3 on Win XP Pro, SP1.

Any comments are welcome. Thank you.

raymie

$_POST is the superglobal for all POST variables.

With register globals on your example would generate two related variables

$_POST['foo'] and $foo

with register globals off the $foo one is not populated, this is to prevent someone skipping the form page and going directly to your second page passing in the value of $foo via a GET variable instead.

All you need to do in your example is replace $foo with $_POST['foo'] and the same would apply to any other variables formally passed via the POST method.

Hope that this helps.

hi-liter

Thank you raymie, that makes a lot of sense.

$_POST[foo] appears to work, though it initially gives an error message (as I think with globals off, my checking for if(!isset($submit)) is not working as well);

Notice: Use of undefined constant foo - assumed 'foo' in C:\apache\dev\htdocs\a.php on line 17

My code never makes it to the "else" section...

<?php
// a.php
// register_globals = Off in php.ini

$process = $_SERVER['PHP_SELF'];

if (!isset($Submit)) {
echo ("
<form action='$process' method='post' name='form'>
<input type='text' name='foo'>
<input type='submit' value='Submit'>
</form>
");

	$_POST[foo]; // test

}
else {
echo ("
You entered ''$_POST[foo]''.
");
}
?>

I will look into modifying the if(!isset($submit)) part.

Thanks for you help btw.

driverdave

Notice: Use of undefined constant foo - assumed 'foo' in C:\apache\dev\htdocs\a.php on line 17

Quote foo. PHP assumes you are trying to use a constant named foo if it's not quoted, which is why it's telling you it assumes string foo.

hi-liter

i get a very similar error messg. if i quote foo:

echo $POST["foo"];
or
echo $POST['foo'];

Notice: Undefined index: foo in C:\apache\dev\htdocs\a.php on line 17

register_globals = off (don't want to use them).

right now my main issue seems to be the if(!isset($submit)) part, or my lack of knowledge in programming. ugh. the page upon submit doesn't seem to be going to the else. $submit doesn't seem to be there (no globals no $submit??) that's what i'm thinking.

thanks tho for the input.

raymie

Try adding a call to the following function at the top of the page receiving the post variables.

By the way, what version of PHP are you using?...

function showpost ()
{
	echo "<table border=1>";
	foreach ($_POST as $key => $value)
	{
	    echo "<tr><td>$key</td><td>&nbsp;$value</td></tr>";
	}
	echo "</table>";
}

hi-liter

Thanks for the tip raymie, I will try that soon as I can.

I'm running PHP 4.2.3 with Apache 2.0.43 on Win XP Pro, SP1.

raymie

The function will show you all the defined post variables. You can also use $GET and $SESSION etc..

BTW

the

isset($submit)

can be replaced with

isset($_POST['submit'])

hi-liter

raymie,

thank you for your assistance.

$POST['submit'] combined with $POST[foo] was the ticket. I had broken the form into a.php and b.php with a.php posting to b and the variable was showing, so knew it was the "old" way of checking to see if submit was true.

The following works with globals off.

<?php
// a.php
// register_globals = Off in php.ini

$process = $_SERVER['PHP_SELF'];

if(!isset($_POST['submit'])) {
echo ("
<form action='$process' method='post'>
<input type='text' name='foo' value=''>
<input type='submit' value='submit' name='submit' value='submit'>
</form>
");

}
else {

	echo (" 
	You entered ''$_POST[foo]''. 
	");

}
?>

</body>
</html>

Thanks again.