alonushka wrote:Hello
I am using windows 7
I wrote a very simple code in php]/quote]
[...]
the code: </html>
<head>
<title>A BASIC HTML FORM</title>
<?PHP
if(isset($submit)) {
print ("SUCCESS!");
}
?>
</head>
<body>
<form action="<?= $php_SELF ?>" method="POST">
<Input Type = "text" Value ="username" Name ="username">
<Input Type = "Submit" Name = "Submit" Value = "Login">
</FORM>
</body>
</html>
Your code does have several errors:
- Code: Select all
</html>
<head>
[...]
The first Tag should be a html-open-tag, no html-end-tag
- Code: Select all
[...]
<head>
<title>A BASIC HTML FORM</title>
<?PHP
if(isset($submit)) {
print ("SUCCESS!");
}
?>
</head>
[...]
- All outputs you want to see in your Browser (exept of the Browser-title-bar) have to be placed inside the <body>-Tags, not the <head>-Tags.
btw: you havent defined a $submit variable. I will show you later in this post.
- Code: Select all
[...]
<body>
<form action="<?= $php_SELF ?>" method="POST">
<Input Type = "text" Value ="username" Name ="username">
<Input Type = "Submit" Name = "Submit" Value = "Login">
</FORM>
</body>
</html>
- you open a form, but don't close it correct. <form> is not the same as <FORM>.
- You defined two POST-Variables (username. Submit). If you submit your form, these Values will be transformed into the superglobal Array $_POST (in your case to $_POST['username'] and $_POST['Submit']). It will not be automatically transformed to a local variable $Submit! If you want to use a local variable, you had to create it manually (e.g. $submit = $_POST['Submit'];)
- And again: $_POST['Submit'] is not the same as $_POST['submit']!
- <?= is short Syntax. If you want to use this, you have to check if its enabled in the php.ini. Otherwise enable it or better, use the full syntax <?php echo.
- PHP_SELF is part of the superglobal $_SERVER Array. if you want to use it, you had to use the array ($_SERVER['PHP_SELF'] instead of $PHP_SELF).
- It's not safe to use Usergenerated Values without a filter (PHP_SELF is partly User_generated). Use the PHP-function htmlentities() to filter this Value. (e.g. your form open tag should be this: <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" action="POST">
Your correct form could be something like this:
- Code: Select all
<?PHP
if(isset($_POST['submit'])) {
print ("SUCCESS!");
}
?>
<html>
<head>
<title>A BASIC HTML FORM</title>
</head>
<body>
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="POST">
<input type="text" value="username" name="username">
<input type="submit" name="submit" value="Login">
</form>
</body>
</html>
Some more hints:
Your HTML-Code is not very clean. The mix of tags and attributes with uppercase beginning can produce some unexpected errors in casesensitive languages (like PHP).
Use one of the HTML-Coding-standards (HTML 4.01 or XHTML1.0) and use validators to check your code.
@wole:
wole wrote:Und auch die idotischen Fehler im Quelltext passen nicht zu der Frage.
Macht im ersten Moment den Anschein, doch der Fehlercode 403 ist normal, wenn man sich vor Augen führt, was beim abschicken des Formulars mit short_open_tags passiert, wenn diese deaktiviert sind.
wole wrote:Ich habe hier ein sehr schlechtes Gefühl das mit der Frage bzw. der Antwort Schindluder getrieben werden soll.
So wie der Code geschrieben ist, habe ich eher die Befürchtung, dass hier jemand gerade anfängt mit Formularverarbeitung und auch nochnicht solange HTML schreibt.
Was die Gefahr von PHP_SELF in Hinblick auf XSS betrifft, so ist diese Gefahr nicht größer als bei allen anderen vom User generierten Inhalten. Hier böse Absicht zu unterstellen halte ich vielleicht ein wenig überängstlich