Form Action Variable Puzzle

Arc

Hi there. I have a form which i wish to refresh if there is an error in the users information, but i wish to move to a success page is there was no error.

So i am using a Variable to hold the action of what the form should do.

The problem is the form doesn't do what it's supposed to do until a click later. If there is an error the form reposts itself like it is supposed to and displays the error message, but if there was no error, the form still reposts itself. Then if you hit the submit button again, it then goes to the success page like it's supposed to.

So for some reason the variable is not being read untill the second time around, even though the variable is declared before the forms action event.

Here is the code i am using..


<html>
<head>
<title>Credit Application</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<?php
If($btnSubmit){
include("dbconnect.php");
include("validatedata.php");
If($chkAgree == ""){
$Error ="^";
$ErrAgree = "^";
}

If($Error == "^"){
$Action="";
$ErrorMessage = "<div align=\"center\">";
$ErrorMessage .= "<Font size=2 color=\"#FF0000\"><img src=\"images/errorarrow.gif\">One or more of the required fields were not properly filled out.<br></font>"; 
$ErrorMessage .= "<Font size=2 color=\"#FF0000\"><img src=\"images/errorarrow.gif\">Please make changes to the fields highlighted in red and re-submit the form.</font>";
$ErrorMessage .= "<br><img src=\"images/line.jpg\" width=500 height=2>";
$ErrorMessage .= "</div>";
  }else{
  $Action = "success.php";
  }//end if error
  }//end if submit          

?>
<form action="<?php print $Action; ?>" method="POST" name="frmCredit" id="frmCredit">

I can't figure out whythe variable is not being changed until the second time the form is posted... Any help is appreciated!😃

brad_fears

I'm confused about something because I can't see the whole script, but where is $btnSubmit coming from? It doesn't look like you have a value defined for $Action until after the form is posted, because your checking for $btnSubmit first, and if that exists, then you step through the error checking process.

If that's true, then you're not defining a value for the form action. Like I said, I may be missing something...

--Brad Fears

krelian

Why not just use javascript to validate the input fields? Php is a waste IMO.

Arc

Originally posted by brad_fears
I'm confused about something because I can't see the whole script, but where is $btnSubmit coming from? It doesn't look like you have a value defined for $Action until after the form is posted, because your checking for $btnSubmit first, and if that exists, then you step through the error checking process.

If that's true, then you're not defining a value for the form action. Like I said, I may be missing something...

--Brad Fears

I figured out the problem. The Action variable isnt used untill after the form is already submitted, therefore making the way i wanted it to work impossible. I also tried using header(Location🙂 but i got already sent header errors... so i ended up going with the META TAG refresh thing... it's alot less eligant but it works..

Arc

Originally posted by krelian
Why not just use javascript to validate the input fields? Php is a waste IMO.

Well the truth is i dont know enough javascript to do the kind of field validation that i need to do. This form has 53 fields that have to be validated, from Email adresses to zip codes to phone numbers etc...

The way i have it now is, if the error varible for that field is "^" then i turn the text next to that field red so they can easily find which fields were invalid. I'm not even sure that's possible with Javascript.. and if so i'd not know how to do it.

paul088

Try this. Need to change the item after eventForm, e.g., subject, and detail, and alert messages. Add more "if -- return false;" to check more field. Put this between head tags.

</script>

Arc

yah that oes basic empty field checking... what if i need to see if the email address has a "@" and a ".".. or i need to check if a phone number is all numeric or if a zip code is 5 numbers and all numeric etc... It just seems like a reall hastle in javascript... just becasue i dont know enough, plus the users may not have JS enabled.. where would i be then?

Weedpacket

Origianlly posted by krelian]
Why not just use javascript to validate the input fields? Php is a waste IMO.

...And then some bright spark has Javascript turned off on their browser, or forges a form submission, or...

Have prophylactic Javascript running on the client by all means (90% of the time it will speed things up for the user and reduce server load), but basic safety precautions mean having equivalent (or stronger) checks running on the server at least - do you trust everyone else to do your safety checks for you, or do you do them yourself?

Very clever, I must say.

As for why the form is being redisplayed instead of the success page - well, that's exactly what you're asking for: redisplay the form (with the success page as the action).

If you want to redirect the user to the success page in the event of a successful submission, you can go

if([i]successful submission[/i])
{  header('Location: success.php');
  exit;
}
...[i]continue and display form,
with any error messages as appropriate[/i]

One thing this would require is that all the form processing (and possible redirection) will have to be done before any HTML is generated. In other words, this code would have to be right at the very top of the page - otherwise your script will start haemorrhaging errors about "headers already sent". Reasonable enough if you think about it - if you want to give them another page (success.php) why would you be sending them this one?

brad_fears

Well it seems you have the answer to your question. With that out of the way, have you had the register_globals lecture yet? It appears you have them enabled, which is a really bad idea, especially considering how much time you are investing in data validation. It would be a shame for someone to come along and exploit your script.

See the manual for more information about disabling the register_globals directive:

http://www.php.net/manual/en/language.variables.predefined.php

Arc

I never eally understood how to use those variables.. and what do you mean 'exploit my script"?

weed i tried header("Location... and i did indeed get header errors even though it was before any html.. i think it was because the form was posting to itself before the header(location bit.

brad_fears

Well it's not to say that your script is even exploitable, but leaving register_globals on makes it easier to pass variables via url to your script which could replace those from your form. Such as passing the "script.php?Error=1" via url to avoid your error checking.

All of your posted form variables can be referenced as $_POST['variable'] if register_globals is turned off. This prevents people from adding ?variable=whatever to your url, where your script would just take it and not care whether it came from the form or not.

Perhaps someone could provide a link to a good tutorial on securing your scripts by turning off register_globals?

As far as the headers go, you should do your Location before ANYTHING is output by the script.

Arc

Hmm, ok well that makes sense. So basically i just put $_POST[$Var] on every variable? Does this only work when register_globals is off? It seems like an awfull lot of extra typing just to avoid someone attaching an extra variable on a link to try to confuse the code.

Weedpacket

No, you use $_POST['Var'].
It works whether register_globals is off or on (and for that reason alone is preferable.)

If it's too much effort to you to use $POST['var'] instead of $var, just start the script with
$var=$POST['var'];

As for security, well it's a tradeoff - how much do you care about your site's safety? Remember, if your site is being hosted by someone else, their considerations have to be taken into account as well.