1

I have two PHP script, and it seems the second script is not handling the $_POST correctly.

a.php

Important part:

echo "<form action='b.php' method='post'>";
echo "<input type='submit' name='add' value='Add new items'>";
echo "</form>";

b.php

Important parts:

$error_variable1="";

if ($_SERVER["REQUEST_METHOD"] == "POST")  {
    if (empty($_POST["something1"])) {
    $error_variable1="not correct";
    }
}

echo '<form action="'.htmlspecialchars($_SERVER["PHP_SELF"]).'" method="post">';
echo '<textarea name="something1" rows="1" cols="10"></textarea>';
echo $error_variable1;

echo '<input type="submit" name="evaluate" value="Checking inputs">';
echo "  </form>";

Unfortunately even at the first start of b.php it displays / gives value to $error_variable1 as "not correct."

But why is it working like this ? The user hasn't pressed the submit button yet. I want to give a "not correct" value for this variable when the "evaluate" submit button pressed.

Edit:

I am suspicious about that probably the POST (submit) from a.php is messing my b.php. What I would like is to display a text form with a submit button. When submit button has pressed ($POST) and the textarea is empty, then I want to show an error message to the user (not correct) and display the form again.

Tass Mark
  • 337
  • 1
  • 2
  • 14
  • 1
    http://stackoverflow.com/questions/409351/post-vs-serverrequest-method-post – Martin Apr 10 '16 at 14:46
  • 1
    Better use `isset(...)` instead of `empty(...)` and make sure you put NOT (`!`) in front of both. – ForceMagic Apr 10 '16 at 14:48
  • if what you have for b.php is complete, it's missing a closing brace `}`. However, it's hard to figure out exactly what you want to do here. – Funk Forty Niner Apr 10 '16 at 14:48
  • 1
    `b.php` process values posted by `a.php`. So you have to modify your condition to differentiate `a` and `b` check. If you have nothing to check from requests coming from `a.php`, replace `a.php` form with a link (or replace `POST` method with `GET`) – fusion3k Apr 10 '16 at 14:49
  • Fred -ii-. sorry, will fix it. – Tass Mark Apr 10 '16 at 14:51
  • 1
    Again, I don't know what you're trying to do here. I see an input with `Add new items` and this tells me you're probably using some JS to add items and trying to pass those to the 2nd page. I'm going to have to pass on this one. I'll just "watch" ;-) – Funk Forty Niner Apr 10 '16 at 14:55
  • Your `{` and `}` don't match up. Post an [mcve] – Lightness Races in Orbit Apr 10 '16 at 14:59

5 Answers5

2

Change empty($_POST["something1"]) to empty($_POST["something1"]) && $_POST["evaluate"]

mertizci
  • 538
  • 3
  • 12
2

You can use strlen() to check if variable is set.

This will count the number of digits entered and will return false when textarea is empty as the string length will be 0.

if (!strlen(trim($_POST['something1']))) {
    $error_variable1="not correct";
}

Alternatively, check if the submit button is clicked:

if (isset($_POST['evaluate'])) {
    if (empty($_POST["something1"])) {
        $error_variable1="not correct";
    }
}

More information on isset(): http://php.net/manual/en/function.isset.php.

Panda
  • 6,955
  • 6
  • 40
  • 55
2

1) CSRF: people from other websites can choose to submit forms to your form handler, therefore you should add a Cross Site Request Forgery prevention value into a hidden field in your form, that updates every time the form is loaded, typically paired with a $_SESSION value. Read more on this.

Using this unique "key" value you can then simply check at the top of your page if this POSTed key value is the correct value and that will confirm for you that the form has been posted.

so

A.php:

session_start();
$_SESSION['obscure'] = some obscurevalue generated anew every page load.
echo "<form action='b.php' method='post'>";
echo "<input type='submit' name='add' value='Add new items'>";
echo "<input tye='hidden' name='key' value='".$_SESSION['obscure']."'>
echo "</form>";

Then sends to b.php:

session_start();
if($_POST['key'] == $_SESSION['obscure'] && !empty($_POST['key'])){
   //This code will only run if the form has been correctly submitted.
}

The outcome of this is that you can be more sure that your code is run in the order it is intended and you can use the POSTED key value to confirm form submission.

As an aside as well it is bad practise to use PHP_SELF for form redirects. Use a static reference or use a properly uneditable value, as PHP_SELF can be abused by the end user.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
1

Change the following code segment in your code 

if (empty($_POST["something1"])) {}

to the below one.

if (strlen($_POST['something1']) > 0) {}
Dinidu Hewage
  • 2,169
  • 6
  • 40
  • 51
harry
  • 483
  • 2
  • 12
0

You should definetly choose isset()! While empty() will return true even if its null, isset() will not!

empty() just checks if the given variable got a value. This can be anything! Int, Float, String, Object and also NULL - it does not matter. It will return true.

isset() instead will return true if the variable exists and is not null.

better choose isset() in this content ;)

EDIT:

see here: http://php.net/manual/en/function.empty.php

and here: http://php.net/manual/en/function.isset.php

Kami Yang
  • 427
  • 5
  • 15