Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I make a PHP form that submits to self?

Tags:

html

forms

php

How do I make a self-posting/self-submitting form, i.e. a form that submits the results to itself, instead of submitting to another form?

like image 454
user544079 Avatar asked Apr 29 '11 01:04

user544079


People also ask

How do you make a form submit to itself?

<form name="bizLoginForm" method="post" action="?

What is self processing form in PHP?

PHP self-processing form. Sometimes, you want to include both form and logic for handling form submission in a single PHP file. This form is often referred to as a self-processing form. To create a self-processing form, you can use the $_SERVER['REQUEST_METHOD'] that returns the request method e.g., GET or POST .

What is PHP self exploit?

PHP_SELF is a variable that returns the current script being executed. This variable returns the name and path of the current file (from the root folder). You can use this variable in the action field of the FORM. There are also certain exploits that you need to be aware of.

What are the methods to submit form in PHP?

PHP - A Simple HTML Form When the user fills out the form above and clicks the submit button, the form data is sent for processing to a PHP file named "welcome.php". The form data is sent with the HTTP POST method. Your email address is: <?php echo $_POST["email"]; ?>


3 Answers

The proper way would be to use $_SERVER["PHP_SELF"] (in conjunction with htmlspecialchars to avoid possible exploits). You can also just skip the action= part empty, which is not W3C valid, but currently works in most (all?) browsers - the default is to submit to self if it's empty.

Here is an example form that takes a name and email, and then displays the values you have entered upon submit:

<?php if (!empty($_POST)): ?>     Welcome, <?php echo htmlspecialchars($_POST["name"]); ?>!<br>     Your email is <?php echo htmlspecialchars($_POST["email"]); ?>.<br> <?php else: ?>     <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">         Name: <input type="text" name="name"><br>         Email: <input type="text" name="email"><br>         <input type="submit">     </form> <?php endif; ?> 
like image 113
Phphelp Avatar answered Sep 19 '22 23:09

Phphelp


I guess , you means $_SERVER['PHP_SELF']. And if so , you really shouldn't use it without sanitizing it first. This leaves you open to XSS attacks.

The if(isset($_POST['submit'])) condition should be above all the HTML output, and should contain a header() function with a redirect to current page again (only now , with some nice notice that "emails has been sent" .. or something ). For that you will have to use $_SESSION or $_COOKIE.

And please. Stop using $_REQUEST. It too poses a security threat.

like image 38
tereško Avatar answered Sep 20 '22 23:09

tereško


That will only work if register_globals is on, and it should never be on (unless of course you are defining that variable somewhere else).

Try setting the form's action attribute to ?...

<form method="post" action="?">
   ...
</form>

You can also set it to be blank (""), but older WebKit versions had a bug.

like image 31
alex Avatar answered Sep 21 '22 23:09

alex