1

I found for the question How do I use two submit buttons, and differentiate between which one was used to submit the form? the answer to use two differently named buttons

<input type="submit" name="publish" alt="Publish" value=""/> 
<input type="submit" name="save" alt="Save" value=""/>

and then detect which was pressed by

<?php
    if (isset($_POST['publish'])) {
        // Publish-button was clicked
    }
    elseif (isset($_POST['save'])) {
        // Save-button was clicked
    }
?>

I found then in this answer of the question How can I tell which button was clicked in a PHP form submit? that one should not do this, because it might happen that no button is clicked.

Other ways to submit a form exist, and some browsers/versions decide not to send the name/value of any submit buttons in some of these situations. For example, many users submit forms by pressing the enter key when the cursor/focus is on a text field. Forms can also be submitted via javascript, as well as some more obscure methods.

and one should rather use 

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    //something posted

    if (isset($_POST['publish'])) {
        // Publish-button was clicked
    } else {
        // Assume Save-button was clicked
    }
}

1. Question: Which browser does actually not send the name of a submit button if you press enter in a textfield of your form? I just checked it with Mozilla, and in this browser it was sending the name of the submit button.

2.Question: I want to construct a multi-step form in php going from page 1 to page 3. All pages are in the same php file, and I detect from the button to which page I want to go next, the structure looks similar to this one:

<?php
    if(isset($_POST['button1']))
    {
     include 'page2.php';
    }
    elseif(isset($_POST['button2']))
    {
      include 'page3.php';
    }
    else
    {
      include 'page1.php';
    }
  ?>

Since I have forward and backward button, I am thinking of storing in $_SESSION['current_page'] the page that the user currently is, and when the form is submitted with no button-value, then I would proceed to the next page. However, this seems a bit too complicated to me. Is there a shorter solution?

Community
  • 1
  • 1
Adam
  • 25,960
  • 22
  • 158
  • 247

1 Answers1

1

  1. As the writer suggests, any of a number of bots, little-known user agents, experimental clients, scripts, script kiddies, programmers testing functionality via debugging tools, and Adrian Lamo.

  2. I suppose you could introduce hidden variables; you could, alternatively, pass state via GET. Probably the best thing to do would be to introduce Javascript that would force (almost all valid) users to push one of the buttons and have the server produce an error page for any requests submitted without the correct button. Or, perhaps better yet and a little more Web 2.0, don't use multiple page forms, but do your magic in the client (via hiding and un-hiding sections of the form, etc.) and then submit the "multi-part" form in one operation for validation by the server.

Kevin_Kinsey
  • 2,285
  • 1
  • 22
  • 23
  • Using JavaScript would mean you would only need one submit button on the final stage. – Burgi Oct 22 '15 at 13:47
  • Regarding question 1: I dont want to prevent script-kiddies to hack my form. I only care if people who try to pass the form get difficulties when using an out-dated browser. Is there actually a browser who does not pass the button name/value when hitting enter in a textfield? I think using Javascript does also not prevent script-kiddies from hacking the form. I only know how to hide/unhide stuff with javascript, but not everyone ahs js enabled. – Adam Oct 22 '15 at 15:27