I have a main page (main.html) with a link to a feedback page (either feedback.html or feedback.php based on how I do it). The feedback page will have a form which will be submitted to the php server, and it should then return to main.html.
I can use a totally different file to handle the form by adding the following to feedback.html:
[CODE]<form action=”process_feedback.php” method=”post”>
Or I can include the form handling script in the feedback.php adding the following to feedback.php:
[CODE]<?php
….
$self=$_SERVER[‘PHP_SELF’];
….?>
….
<form action=”<?php $self ?>” method=”post”>
Can anyone comment of the pros and cons of both method?
Thanks
[code=php]<?
$Error_in_Form = false;
IF (isset($_POST['submit'])) :
// process input
ENDIF;
IF ($Errors_in_Form or !isset($_POST['submit'])) :
//display form with error messages
ELSE :
// redirect user to wherever
ENDIF;
?>[/code]
I don't think anything is blatant.[/QUOTE]I disagree. I would say always have the form and processing script in the same page. For a start it means a lot less code also it allows the form to be sticky. It might seem more work when you are a beginner but later it saves lots of work.
I disagree.[/QUOTE]With whom?
I can see how that could be ambiguous! What I don't agree with is doing something for the wrong reasons.[/QUOTE]Yes, the story of my life... ?
What for?[/QUOTE]
[CODE]<?
$Error_in_Form = false;
IF (isset($_POST['submit'])) :
// process input
ENDIF;
IF ($Errors_in_Form or !isset($_POST['submit'])) :
//display form with error messages
ELSE :
// redirect user to wherever
ENDIF;
?> [/CODE]
[CODE]<?php
$error="";
if (isset($_POST['submit'])) {
// Process form, and if there is an error, set $error="error discription"
if ($error.="") { echo($error); }
else {//store data in database and redirect to new location}
}
else
{//Display Form}
?>[/CODE]
[code=html]<?
$Error_in_Form = "";
if (isset($_POST['submit']))
{
// validate each input and if something wrong, set $Error_in_Form.="detailed error description<br>"
}
if (($Errors_in_Form!="") or !isset($_POST['submit']))
{
if ($Error_in_Form.="") { echo($Error_in_Form); }
//display form using sticky inputs
}
else
{
// store data in database
// redirect user to wherever
}
?>[/code]
[code=php]<?php
$Error_in_Form = "";
if (isset($_POST['submit']))
{
foreach (input)
{
validate
}
if (something wrong )
{
set $Error_in_Form.="detailed error description<br>"
}
else
{
store data in database
redirect user to wherever
}
}
if (($Errors_in_Form!="") or !isset($_POST['submit']))
{
if ($Error_in_Form.="")
{
echo($Error_in_Form);
}
echo form using sticky inputs
}
?>[/code]
[code=php]<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<style type="text/css">
<!--
.err_msg {font-weight: bold; color:red; height:35pt; width:250pt; border: 1px dotted navy; padding:3px; background-color:lightyellow;}
.fld_set {width:255pt; padding:3px;}
.fld_legend {font-weight: bold; color:navy; font-variant:small-caps; padding-left:5px;padding-right:5px;}
-->
</style>
<script type="text/javascript">
<!--
// Validation of required input fields
function form_validate(thisform,popup) {
var err_msg = "";
with (thisform) {
if (col1.value==null || col1.value=="") {
col1.focus();
err_txt = "Please enter a value for Column1";
err_msg = err_msg + err_txt + "<br />";
if (popup) {
alert(err_txt);
}
}
if (col2.value==null || col2.value=="") {
if (err_msg == "") {
col2.focus();
}
err_txt = "Please enter a value for Column2";
err_msg = err_msg + err_txt + "<br />";
if (popup) {
alert(err_txt);
}
}
}
if (err_msg != "") {
document.getElementById("err_msg").innerHTML = err_msg;
return false;
}
return true;
}
// -->
</script>
</head>
<body>
<?php
// Check self-referral
$CHECKfromself = true;
// Set form action if different than PHP_SELF
$ACTIONpage = "";
// Enter a redirect location if desired
$REDIRlocation = "";
// Initialize fields
$COL1 = "";
$COL2 = "";
// Set to empty, used as a flag item
$USRmsg = "";
// With JS Alert?
$JSalert = true;
// Check submit button and hidden form name variable to confirm
IF (isset($_POST['submit']) AND (isset($_POST['FrmName']) AND $_POST['FrmName'] == "do_insert")) :
IF (!CheckOrigin($CHECKfromself)) :
$USRmsg = "Data submission from unauthorized source.";
ELSE :
require_once "../DBconnect2.inc.php";
// Server-side sanitization of POST variables
$COL1 = CheckPrepSQL("col1");
IF ($COL1 == "") :
$USRmsg .= "Please enter a value for Column1.<br />";
ENDIF;
$COL2 = CheckPrepSQL("col2");
IF ($COL2 == "") :
$USRmsg .= "Please enter a value for Column2.<br />";
ENDIF;
IF ($USRmsg == "") :
// PHP Search Script
$sql = "INSERT INTO yourtable
";
$sql .= " SET col1
= '$COL1', ";
$sql .= " col2
= '$COL2' ";
$sql .= " ON DUPLICATE KEY UPDATE col2
= '$COL2' ";
$qry = mysql_query($sql) or die ('SQL Error: ' . $sql . '<br />' . mysql_error());
IF ($REDIRlocation == "") :
$USRmsg = "The record has been succesfully inserted or updated.";
ELSE :
header("Location: $REDIRlocation");
exit;
ENDIF;
ENDIF;
ENDIF;
ENDIF;
?>
<fieldset class="fld_set">
<legend class="fld_legend">Sample Input Form</legend>
<form method="POST" name="FrmInput" action=<?php echo ($ACTIONpage==""? $_SERVER['PHP_SELF'] : $ACTIONpage) ?>" enctype="multipart/form-data" onsubmit="return form_validate(this,<?php echo ($JSalert? "true" : "false") ?>);">
<input type="hidden" name="FrmName" value="do_insert" />
<label for="col1">Enter Column1: </label>
<input type="text" name="col1" id="col1" value="<? echo $COL1 ?>" /><br />
<label for="col2">Enter Column2: </label>
<input type="text" name="col2" id="col2" value="<? echo $COL2 ?>" /><br />
<input type="SUBMIT" name="submit" value="Search!" />
</form>
<div id="err_msg" class="err_msg"><?php echo $USRmsg ?></div><br />
</fieldset>
</body>
</html>
<?php
//----------------------------------------------
function CheckOrigin($pCheck=true) {
return (!$pCheck OR ($_SERVER['HTTP_REFERER'] <> "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']));
}
//----------------------------------------------
function CheckPrepSQL($pField) {
$retVAL = "";
IF (isset($_POST[$pField]) AND $_POST[$pField] <> "") :
$retVAL = mysql_real_escape_string(trim(get_magic_quotes_gpc() ? stripslashes($_POST[$pField]) : $_POST[$pField]));
ENDIF;
return $retVAL;
}
?>[/code]
I'm sure I've forgotten this or that.[/QUOTE]You have your logical order wrong. Always run through the descission making process before sending any content to the client. In the case of this script that order should be:
[code=php]<?php
$Error_in_Form = '';
if($_POST)
{
if(!($Error_in_Form = validate($_POST)))
{
# store data in database
# header('Location: some.page');
die('Redirection failure message!');
}
}
header('Content-Type: text/html; charset=ISO-8859-1');
?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<title>Sticky form</title>
<style type="text/css">
form p{clear:left;}
label, input{width:5em;float:left;margin-bottom:0.2em;}
input{width:8em;}
.error-message{color:red;font-weight:bold;}
</style>
</head>
<body>
<?php echo form(($_POST?$_POST:null), $Error_in_Form) ?>
</body>
</html><?php
function form($in, $error)
{
$text_fields = array('name', 'email');
foreach($text_fields as $fieldname)
{
@$printout .= "<p><label for='$fieldname'>".ucfirst($fieldname).
": <label><input type='text' name='$fieldname' id='$fieldname'".
(@$in[$fieldname] ? " value='".$in[$fieldname]."'" : '').
'></p>'."n";
}
return '<form action="" method="post">'."n".
($error ? '<p class="error-message">'.$error.'</p>'."n":'').
$printout.
"<p><label for='submit'>Proceed: </label><input type='submit' name='submit' id='submit' value='next step'></p>n".
'</form>'."n";
}
function validate($in)
{
$errors = '';
if(!preg_match('/^[a-z]+$/i', trim($in['name'])))
{
$errors .= 'Name field incorrectly filled in!<br>'."n";
}
if(!preg_match('/^([_a-z0-9-]+)(.[_a-z0-9-]+)*@([a-z0-9-]+)(.[a-z0-9-]+)*(.[a-z]{2,6})$/', trim($in['email'])))
{
$errors .= 'Email field incorrectly filled in!<br>'."n";
}
return $errors;
}
?>[/code]
[code=php]<?php
// Check self-referral
$CHECKfromself = true;
// Set form action if different than PHP_SELF
$ACTIONpage = "";
// Enter a redirect location if desired
$REDIRlocation = "";
// Initialize fields
$COL1 = "";
$COL2 = "";
// Set to empty, used as a flag item
$USRmsg = "";
// With JS Alert?
$JSalert = true;
// Check submit button and hidden form name variable to confirm
IF (isset($_POST['submit']) AND (isset($_POST['FrmName']) AND $_POST['FrmName'] == "do_insert")) :
IF (!CheckOrigin($CHECKfromself)) :
$USRmsg = "Data submission from unauthorized source.";
ELSE :
require_once "../DBconnect2.inc.php";
// Server-side sanitization of POST variables
$COL1 = CheckPrepSQL("col1");
IF ($COL1 == "") :
$USRmsg .= "Please enter a value for Column1.<br />";
ENDIF;
$COL2 = CheckPrepSQL("col2");
IF ($COL2 == "") :
$USRmsg .= "Please enter a value for Column2.<br />";
ENDIF;
IF ($USRmsg == "") :
// PHP Search Script
$sql = "INSERT INTO yourtable
";
$sql .= " SET col1
= '$COL1', ";
$sql .= " col2
= '$COL2' ";
$sql .= " ON DUPLICATE KEY UPDATE col2
= '$COL2' ";
$qry = mysql_query($sql) or die ('SQL Error: ' . $sql . '<br />' . mysql_error());
IF ($REDIRlocation == "") :
$USRmsg = "The record has been succesfully inserted or updated.";
ELSE :
header("Location: $REDIRlocation");
exit;
ENDIF;
ENDIF;
ENDIF;
ENDIF;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<style type="text/css">
<!--
.err_msg {font-weight: bold; color:red; height:35pt; width:250pt; border: 1px dotted navy; padding:3px; background-color:lightyellow;}
.fld_set {width:255pt; padding:3px;}
.fld_legend {font-weight: bold; color:navy; font-variant:small-caps; padding-left:5px;padding-right:5px;}
-->
</style>
<script type="text/javascript">
<!--
// Validation of required input fields
function form_validate(thisform,popup) {
var err_msg = "";
with (thisform) {
if (col1.value==null || col1.value=="") {
col1.focus();
err_txt = "Please enter a value for Column1";
err_msg = err_msg + err_txt + "<br />";
if (popup) {
alert(err_txt);
}
}
if (col2.value==null || col2.value=="") {
if (err_msg == "") {
col2.focus();
}
err_txt = "Please enter a value for Column2";
err_msg = err_msg + err_txt + "<br />";
if (popup) {
alert(err_txt);
}
}
}
if (err_msg != "") {
document.getElementById("err_msg").innerHTML = err_msg;
return false;
}
return true;
}
// -->
</script>
</head>
<body>
<fieldset class="fld_set">
<legend class="fld_legend">Sample Input Form</legend>
<form method="POST" name="FrmInput" action=<?php echo ($ACTIONpage==""? $_SERVER['PHP_SELF'] : $ACTIONpage) ?>" enctype="multipart/form-data" onsubmit="return form_validate(this,<?php echo ($JSalert? "true" : "false") ?>);">
<input type="hidden" name="FrmName" value="do_insert" />
<label for="col1">Enter Column1: </label>
<input type="text" name="col1" id="col1" value="<? echo $COL1 ?>" /><br />
<label for="col2">Enter Column2: </label>
<input type="text" name="col2" id="col2" value="<? echo $COL2 ?>" /><br />
<input type="SUBMIT" name="submit" value="Search!" />
</form>
<div id="err_msg" class="err_msg"><?php echo $USRmsg ?></div><br />
</fieldset>
</body>
</html>
<?php
//----------------------------------------------
function CheckOrigin($pCheck=true) {
return (!$pCheck OR ($_SERVER['HTTP_REFERER'] <> "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']));
}
//----------------------------------------------
function CheckPrepSQL($pField) {
$retVAL = "";
IF (isset($_POST[$pField]) AND $_POST[$pField] <> "") :
$retVAL = mysql_real_escape_string(trim(get_magic_quotes_gpc() ? stripslashes($_POST[$pField]) : $_POST[$pField]));
ENDIF;
return $retVAL;
}
?>[/code]
Why do you verify the hidden input?I don't need to in this case, but I often use a single script to insert, delete and modify data. I use that to keep track of where I'm coming from and going to...
(isset($_POST['FrmName']) AND $_POST['FrmName'] == "do_insert")[/quote]
Why encript the form? enctype="multipart/form-data"[/quote]It's not encrypted. It doesn't hurt to have it there and if I use the form to upload a file, I must have it there. So for the older, forgetful types, why not?
Why does this signify it is coming from the wrong source?I (usually) don't want anyone sending me data to insert in a database unless they're coming from one of my pages. In this case, it' a self-calling form so the referrer can only be itself.
($_SERVER['HTTP_REFERER'] <> "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'])[/quote]
Can you explain the following line:I'm not too fond of the way it's written either but I got lazy... This is basically an IF/ELSE. I check if magic quotes are set and if so, remove any quotes the server may have added to ensure safe passage of the variables - if they are set - through HTTP. Once removed, I escape the string so that if can be used for MySQL. That value is returned to the main script.
$retVAL = mysql_real_escape_string(trim(get_magic_quotes_gpc() ? stripslashes($_POST[$pField]) : $_POST[$pField])); [/quote]
Thanks!!![/QUOTE]You're welcome!
0.1.9 — BETA 5.22