PHP Form Processing

software development

#1

Hey all, me again…

I’ve got something kinda strange happening with my scripts. I have a form on them, which when filled out and submitted is stored in a database for searching. The ‘submit button’ is actually an image ().

The problem I have is that IE will not send the value of the submit button (image) to the script to process, therefore the script does nothing. I’ve tested in Mozilla and FireFox and the forms work fine.

My form submit button is created like this:

<input type="image" name="submit" value="insert" src="images/b_dm_submit.gif" width="58" height="21">and the processing script has the if statement (in this case an elseif) written as elseif ($submit=='insert') {Anyone know of an issue where IE will not pass the value correctly? As a sidenote to this… if I use it works just fine.

THANKS!

================================
I’d give my right arm to be ambidexterous!


#2

For one, you need to use $_GET[‘submit’] or $_POST[‘submit’]. What you’re using is know as register_globals where it converts submit=value to $submit = value (VERY BAD programming practice in PHP).

Now for your problem, havn’t a clue. lol

It could be a possible bug in IE. It should be submitting values instead of name=value par thinking it’s an Image Map. IE is flakey like that. Try creating an info page (<? phpinfo() ?>) and submit your form to that and look at the values you get.


#3

Hmmm… interesting…

In IE:_REQUEST["domain"] ************.com _REQUEST["submit_x"] 31 _REQUEST["submit_y"] 12 _POST["domain"] ************.com _POST["submit_x"] 31 _POST["submit_y"] 12 In Mozilla:_REQUEST["domain"] ************.com _REQUEST["submit_x"] 14 _REQUEST["submit_y"] 15 _REQUEST["submit"] dump _POST["domain"] ************.com _POST["submit_x"] 14 _POST["submit_y"] 15 _POST["submit"] dump (Actual domain removed for privacy reasons).

So the submit variable is not being passed incorrectly, it’s not being passed at all… I appreciate that little hint, I did not know that this could be done. :slight_smile:

Do I need to put that in the processing script? Something like if ($_POST['submit']=='dump') { or something somewhat similar?

I’m a newb do doing this, so I appreciate the help! Thanks again!!

================================
I’d give my right arm to be ambidexterous!


#4

[quote]Do I need to put that in the processing script? Something like

if ($_POST[‘submit’]==‘dump’) {

or something somewhat similar?[/quote]
Yeah, just like that.

You should always access your query variables through _REQUEST, _POST, _GET or _COOKIE (_SESSION if you’re using sessions). _REQUEST is a combination of everything in _POST, _GET and _COOKIE.

It’s the new method introduced in PHP4 on it’s release in efforts to get away from register globals (where PHP automatically creates a variable based on the query variable names). It’s been proven to be too much of a security problem, especially for new PHP developers.

As for your original problem, as I suspected, IE’s flaking out. My suggestion; use a hidden field to key off instead of relying on the image buttton itself.


#5

So my question to this will be, if I am submitting form entries to a database is it still ok for me to write the SQL statement as: INSERT INTO [i]database[/i] VALUES ($name,$address,$phone); as an example?

Oh, and I made the change to use if _POST[‘submit’] and the script still works great, but IE still doesn’t want to play nice.

Thanks again!

================================
I’d give my right arm to be ambidexterous!


#6

Internet Explorer will not send the value of the image-type control, there is nothing you can do to fix that server-side.

As suggested, use a different field. For example, if you have multiple forms, use a hidden control for each one. If you have one form, but multiple image controls, then you would have to rely on JavaScript, etc and when an image control is pressed, update the value of the hidden control accordingly.

:cool: Perl / MySQL / HTML+CSS


#7

oh no! That’s one of the root hacks used on register_globals enabled sites.

Imagine if somebody submitted a name as: '); select * from mysql.users;

First off, you can’t use $name, as you should already know from the above. It’ll be $_POST[‘name’]. Secondly, you need to do some cleaning up first. I’d use things like addslashes() and maybe some general validation checks to insure they don’t inject any SQL queries into variables you’ll be using.