0

I'm trying to get user input in a progressive sequence that leads to that input being sent by email. Sending by email is a whole other issue that I haven't tackled yet so not really worried about that. The part I am having difficulty with is once the user gets to the "Send Email?" (Yes/No) radio buttons, the input from that question is not processed correctly. I've gotten further with this by using a separate php file as the form action but still get errors related to emailName, emailAddress, and emailMsg not existing ("Notice: Undefined index..."). Furthermore, I still need to be able to use the $_POST[athletes] array further down but I'm guessing it's outside of the variable scope at that point. So to bring that all together, I'm really asking a few questions:

1) How can I get all of the forms to work together in the same file?

2) When the program actually goes past the "Send Email?" radio buttons when I use a separate php file as the form action, why am I getting undefined index errors?

3) Why do I get an error when I try to use the athletes[] array further down in the code? Should I somehow be passing the array values to that part of the code?

The exact steps the user would take to get to the issue is:

  1. Select 1 or more athlete checkboxes and click the 'Display Selection(s)' button.

  2. Select 'Yes' for "Send Email?" and click the 'Submit' button.

  3. Restarts the code for some reason.

Any help would be greatly appreciated. Also, this is my first post so sorry if I asked the question incorrectly or not according to site etiquette. I also apologize for the long code fragment but I'm not sure what parts might be causing this to be incorrect.

<b><h1><center>Athelete Selection Screen</center></h1></b>
    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
        <p>
            <fieldset>
                <legend>Athletes Available: </legend>
                <input type="checkbox" id="student1"
                    name="athletes[]" value="Student1 Test">
                    <label for="student1">Student1 Test</label><br/>
                        <font color="grey">Football - Running back</font><br/>

                <p>
                <input type="checkbox" id="student2"
                    name="athletes[]" value="Student2 Test">
                    <label for="student1">Student2 Test</label><br/>
                        <font color="grey">Soccer - Left Forward</font><br/>
                </p>

                <p>
                <input type="checkbox" id="student3"
                    name="athletes[]" value="Student3 Test">
                    <label for="student1">Student3 Test</label><br/>
                        <font color="grey">Baseball - Pitcher/Left Outfield</font><br/>
                </p>                    

            </fieldset>
            <p>
                <?php echo("\t\t\t\t\t"); ?><button type="submit" name="submit" value="submit">Display Selection(s)</button>
            </p>
    </form>

    <fieldset>
        <legend>Athletes You Selected: </legend>

        <?php
            if (!empty($_POST['athletes']))
            {

                echo "<ul>";
                foreach($_POST['athletes'] as $value)
                {
                    echo "<li>$value</li>";
                }
                echo "</ul>";   
        ?>
                <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
                    <p>
                        <fieldset>
                        <legend>Send Email? </legend>
                        <input type="radio" id="Yes"
                            name="radioSendMsg[]" value="Yes">
                            <label for="student1">Yes</label>

                        <p>
                        <input type="radio" id="No"
                            name="radioSendMsg[]" value="No">
                            <label for="student1">No</label><br/>
                        </p>
                        <button type="submit" name="submitRadio" value="submit">Submit</button>
                    </p>
                </form> 
        <?php
                if (!empty($_POST['radioSendMsg']))
                {
                    foreach($_POST['radioSendMsg'] as $radioMsg)
                    {   

                        if($radioMsg == "Yes")
                        {
                            echo "\tPlease enter information regarding the email to be sent: ";
                            ?>

                            <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
                                <p>
                                    <label for="emailName"> Name: </label><br/>
                                    <input type="text" size="25" id="emailName" name="emailName" />
                                </p>
                                <p>
                                    <label for="emailAddress">E-mail Address: </label></br>
                                    <input type="text" size="25" id="emailAddress" name="emailAddress" />
                                </p>
                                <p>
                                    <textarea id="emailMsg" name="emailMsg" cols="30" rows="5"></textarea>
                                </p>
                                <button type="submit" name="emailSubmit" value="send">Send Message</button>
                            </form>
                            <?php
                                $msg = "Name:     ".$_POST['emailName']."\n";
                                $msg.= "E-Mail:   ".$_POST['emailAddress']."\n";
                                $msg.= "Message:  ".$_POST['emailMsg']."\n";

                                $msg.= "<ul>";
                                foreach($_POST['athletes'] as $value)
                                {
                                    $msg.= "<li>$value</li>\n";
                                }
                                $msg.= "</ul>";

                                $emailRecipient = "sjzerbib@gmail.com";
                                $emailSubject = "Athlete Selection Submission";
                                $emailHeaders = "From: Sebastien\n"."Reply-To: ".$_POST['emailAddress'];

                                mail($emailRecipient,$emailSubject,$msg,$emailHeaders);

                                echo "Message sent: \n".$msg;
                        }
                        else
                        {
                            ?> <p /> <?php

                            echo "\n\nNo email will be sent for your last athlete selection.";
                             ?>
                            <br/>Please click <a href="http://localhost/CheckFormTest.html">here</a> 
                                to return to the Athlete selection screen.

                            <?php
                        }
                    }
                }
            }
Sebastien
  • 3
  • 3
  • FYI: [PHP_SELF and XSS](http://stackoverflow.com/questions/6080022/php-self-and-xss) . Of source, that's not the only XSS vulnerable code on the page. Looks like you also have mail header injection vulnerabilities: [Proper prevention of mail injection in PHP](http://stackoverflow.com/questions/11952473/proper-prevention-of-mail-injection-in-php) – Alexander O'Mara Mar 20 '16 at 03:16
  • shouldent that all be just one form and not 3? –  Mar 20 '16 at 03:21
  • @AlexanderO'Mara Thanks for the info about security vulnerabilities - hadn't even thought about that to be honest. – Sebastien Mar 20 '16 at 03:32
  • @Dagon I'm not sure. By separating out as 3 different forms, I got it to only show the next form when the user makes a selection. But I have no idea if that's the right way to do it or not. – Sebastien Mar 20 '16 at 03:34

1 Answers1

1

When you submit a form, only those controls contained within that form are included. The exception is successful controls that have the form attribute set to the id value of the form that was submitted.

So, given you had something like:

<form id="form-1" method="post">
    <input type="text" name="first-input" />
</form>

<input type="text" name="second-input" />

The only value to be submitted would be that of first-input. If you add the form attribute to second-input:

<input type="text" name="second-input" form="form-1" />

Then the submission of the form would include both values. Unfortunately, the form attribute is not fully supported (IE and Edge have no support).

Of course, your markup is invalid, so that's a moot point. For starters, you cannot nest a form within a form. How a browser responds to markup that violates that rule is up to it's vendor, but in my experience is somewhat unpredictable. You're also using deprecated tags (<font> and <center> are no longer valid) and nesting elements incorrectly (<h1> is a block level element, whereas <b> is inline).

If you're doing a full submit each time (so the page gets submitted to itself and then reloads), then just use some sort of conditional to only render the dependent controls if the preceding form submissions were successful:

<?php

    $canDoNextStep = !empty($_POST['input-1']);

?>

<form id="form-1" method="post">
    <input type="text" name="first-input" />

    <?php if(canDoNextStep): ?>

    <input type="text" name="second-input" />

    <?php endif; ?>
</form>

Lastly, whitespace is (mostly) ignored when your browser parses and displays your HTML, so you can lose the \t and \n values in your strings, unless you're concerned about how your markup looks if someone chooses to view source when using your form.

Tieson T.
  • 20,774
  • 6
  • 77
  • 92
  • Thanks! This was very helpful. I'm going to try to reformulate the forms in a more straightforward manner. Also, the last time I used html extensively was a decade ago so I'll definitely look into the deprecated tags. I left the /t and /n in by accident but I had noticed they didn't work. I guess your explanation answers that question. – Sebastien Mar 20 '16 at 04:25