Self-referring form example: any suggested improvements?

redneck

I am a complete noob to PHP and am working on a largish PHP/MySQL application. My approach to this, while working top-down on the general design, is to write little routines to make sure I have the coding right and also to use as code foundations or library entries for the elements of the final application.

While I can always get something to work, I thought I would take advantage of this forum to show my code and invite comments from others regarding common conventions, security, performance, things like that. I want to go into this project ensuring that I am using best practices across the board.

I am sure I can learn a lot from folks on this board and perhaps other noobs can learn from the commentary my posts generate (if any).

My first snippet is a self-referring form script. I think the comments in the script show what I am trying to do. The script works fine but I know there is no security and am not sure whether I am employing server variables according to best practices.

Noobs should be able to download this code (and the include file) and run it without modification:

<?php

  /* 
   * self-referring_form_no_gets_inc_html.php - by <redneck@goathill.net>
   *
   * This script demonstrates a self-referring form which does not allow 
   * attempted GET calls on the script.
   *
   * If the script is called with the appropriate POST call, the variables 
   * are passed and displayed.  If it is called with no parameters, the form 
   * for entering the variables is displayed.  This form is self-referring, 
   * ie, it calls itself for processing.
   *
   * If the script is called with a GET (ie, script.php?id=variable), 
   * processing is skipped and a message is displayed.
   *   

   */

  require_once('html_tests.php'); // HTML header and footer information

  // first we write some HTML:
  html_header("Self-referring forms test");

  // next we test for user input, starting with any GET variables
  if (!$_GET)
    {            // okay, no GETs, how about POSTs?

if (!$_POST)
  {          // no POSTs, so show the form
             // note the use of $_SERVER[SCRIPT_NAME] to call the script
?>
    <form method="POST" action=<?php echo "\"$_SERVER[SCRIPT_NAME]\"" ?>>

Item Name: <br><input type="text" name="item_name" size=80><br>
Description: <br><textarea name="description" rows=4 cols=80></textarea><br><input type="submit">
</form>
<p>

<?php    

  } else {  // run this bit if script was called with POST

    echo "There was user input <p>";
    echo "The <em> item_name </em> value is $_POST[item_name]. <br />";
    echo "The <em> description </em> value is $_POST[description] <p>";

  } // end POST if

} else {   // run this bit if the script was called with GET

  echo "Cannot use GET.<p>";

} // end GET if

  // clean it all up with the HTML footer:
  html_footer($_SERVER[SCRIPT_NAME], "redneck@goathill.net");

?>

Here's the include file:

<?php

  /* 
   * html_tests.php - by <redneck@goathill.net>
   *
   * This is a PHP include file for generating HTML headers and footers.  

   * This particular file is specific to tests scripts written to test 
   * certain aspects of my PHP application.  There are two functions to the 
   * file, html_header() and html_footer().
   *   

   */

  function html_header($title) {  // straightforward header formatting 

echo "<html>\n  <head> \n    <title> $title </title>\n  </head>";
echo "  <body>\n    <h1> $title </h1>\n\n";

  } // end of function html_header() 

  function html_footer($scriptpath, $email_address) {
    // The $scriptpath variable is usually the __FILE__ variable passed from 
    // the parent script.  This includes full path information which is 
    // stripped out for use as a filename:

$scriptname = substr($scriptpath, strrpos($scriptpath,"/") + 1);

// The full path is handy for getting the file modification timestamp:
$script_mod_date = date("m/d/y H:i T", filemtime($scriptpath));

// ...and some colors to brighten things up:
$date_color = "<font color=\"green\">";
$file_color = "<font color=\"red\">";

echo "\n\n  <hr noshade>\n";
echo "  The file $file_color $scriptname </font>" .
     "  last changed $date_color $script_mod_date</font>.\n";

// the e-mail address includes a mailto: tag
echo "  <address>\n" .
     "    <a href=\"mailto:$email_address\"> $email_address </a>\n" .
     "  </address>\n";

echo "  </body>\n</html>"; // close up the HTML page

  } // end of function html_footer() 

?>

sean_paul

It's not good form to have a page post to itself.

I just posted an e-commerce site and whenever there's a post it calls on a separate page to process the post info.

I also think it's in excess to create the Get code.
I've never seen of such a code when the command is strictly to "Post" but I don't know muc about pirating so it may be necessary.

That's just some advice from a newbie