Similar PHP form code: First throws error if $_REQUEST is empty, second does not

Question

I'm new to PHP so this might be a simple answer. Hopefully I format this correctly and properly to SO standards (still new to the site.)

I'm working on two sets of very similar code submitting form data and using htmlspecialchars to stop XSS attacks in my very basic beginning PHP book via SitePoint. Simple enough, right.

When working with code set 1, I got an error of undefined index once I changed the form action from

<form action="formpost.php" method="post">

to

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

I searched SO and found that I needed to check if $_REQUEST was empty or not in order for there to be no undefined index and to get rid of that error. If someone can explain that portion to me I'd be very greatful. What perimeters does something need to fall under in order to become an Index? thiking outloud, please don't make fun of me I know I probably sound stupid--> Is it an Index because $_REQUEST being a $_POST, $_GET and $_COOKIE is an array and data within an array is indexed, 0,1,2,3,etc.?

I understand $_REQUEST could be possibly empty because no $_REQUEST has been made (I suppose?) but, being that no script has been activated by entering data into the form, why would it be expecting data to already be in $_REQUEST?

Code Set 1 (thows error [undefined index] unless the script checks if $_REQUEST is empty): In this code I'm just allowing the end-user to post their name via the form field or via a string added manually to the url and have it print.

<?php
if( !empty($_REQUEST) )
{
    $firstname = $_REQUEST['firstname'];
    $lastname = $_REQUEST['lastname'];
    echo 'Welcome to our web site, ' .
        htmlspecialchars($firstname, ENT_QUOTES, 'utf-8') . ' ' .
        htmlspecialchars($lastname, ENT_QUOTES, 'utf-8') . '!';
}
?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Query String Link Example</title>
    </head>

    <body>
        <p>
            <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
              <div><label for="firstname">First name:  
                <input type="text" name="firstname" id="firstname"></label>  
              </div>  
              <div><label for="lastname">Last name:  
                <input type="text" name="lastname" id="lastname"></label></div>  
              <div><input type="submit" value="GO"></div>  
            </form>
        </p>
    </body>
</html>

Code Set 2 (does not mind if $_REQUEST is checked or not): In this code I'm doing the same thing, just if it happens to be my exact name, have it print out a special message.

<?php
    $firstname = $_REQUEST['firstname'];
    $lastname = $_REQUEST['lastname'];
        if ($firstname == 'Tommy' && $lastname='Loza') 
        {
            echo 'Welcome to our web site web master!';
        }
        else
        {
            echo 'Welcome to our web site, ' .
                htmlspecialchars($firstname, ENT_QUOTES, 'utf-8') . ' ' .
                htmlspecialchars($lastname, ENT_QUOTES, 'utf-8') . '!';
        }
?>
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Conditional Query String Link Example</title>
    </head>

    <body>
        <p>
            <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
              <div><label for="firstname">First name:  
                <input type="text" name="firstname" id="firstname"></label>  
              </div>  
              <div><label for="lastname">Last name:  
                <input type="text" name="lastname" id="lastname"></label></div>  
              <div><input type="submit" value="GO"></div>  
            </form>
        </p>
    </body>
</html>

Hopefully I didn't ask too many stupid questions and this post is formatted correctly. Thanks a lot SO community.

Tommy

Answer 1

Basically you can't access a REQUEST index unless it exists.

If you don't use the if statement, it's trying to access the index regardless of whether or not it exists. Therefore, if $_REQUEST['firstname'] does not exist, instead of just defaulting to null, it will give the undefined index error, as $_REQUEST is an array.

If you try and use an undefined variable, it'll say "Undefined Variable" instead of "index".

['firstname'] <- This is the index. If this does not exist, it will error.

Checking if it's empty won't necessarily be the only thing either. I'd also be checking to see if firstname and lastname are set, like so:

if(!empty($_REQUEST) && isset($_REQUEST['firstname']) && isset($_REQUEST['lastname'])){
    //Code here
}

Of course you can then check them individually for the ability to throw individual errors depending on whichever one is missing.

--Edit

Also, you can do the following:

if($_SERVER['REQUEST_METHOD'] == "POST"){
    //code
}

As by default, it is set to "GET".