1

I'm using an external php file in the "action" field of my HTML form so that the actions mentioned in the php file are undertaken on clicking the Submit button.

For this I've used the isset() function in the php file.

However, I'm finding that the isset function is always returning FALSE, resulting in the execution of the else statement (as seen in the console log).

If I remove the isset() function (and hence the if-else statements), then the code is working wonderfully.

Can you please check the problem in my code?

Also I've seen in other posts that I need to use some other argument along with isset(), for example,

if(isset($_POST['submit']) && !empty($_POST["xyz"]))

is this at all required?

P.S.: I'm still in the initial stage of the page development and hence I request you to please ignore the security concerns of my code, which I acknowledge that it exists. :)

My Sub-codes:

My HTML Form:

<form id="info-form" method="POST" action="form-submit.php">
    <label for="Name">What is your Name? </label> 
    <input required type="text" name="name" placeholder="Enter your full name here." />

    <label for="Email">What is your email ID? </label>
    <input required type="email" name="email" placeholder="your.name@email.com" />

    <label for="mobile">What is your 10-Digit Mobile Number? </label>
    <input required type="text" name="mobile" maxlength="10" />

    <button name="submit-form" type="submit" class="btn btn-lg btn-success"><i class="fa fa-paper-plane" aria-hidden="true"></i>
        Submit
    </button>
    <button type="reset" class="btn btn-lg btn-warning"><i class="fa fa-undo" aria-hidden="true"></i>
        Reset
    </button>
</form>

My form-submit.php file:

<?php
    if(isset($_POST['submit-form']))
    {
        require("database-connect.php");

        $name = $_POST['name'];
        $email = $_POST['email'];
        $mobile = $_POST['mobile'];

        $sql = "INSERT INTO tbl_details ".
               "(name,email_id,mobile_number) ".
               "VALUES ".
               "('$name','$email','$mobile')";

        mysql_select_db('db_info');
        $return = mysql_query( $sql, $connect );

        if(! $return )
        {
            die('Could not enter data: ' . mysql_error());
        }

        echo "Entered data successfully\n";
        mysql_close($connect);
    }

    else
    {
        echo "Not Set\n";
    }
?>
gen_Eric
  • 223,194
  • 41
  • 299
  • 337
ABor
  • 173
  • 1
  • 2
  • 12
  • 4
    `submit` != `submit-form` (the name of your submit-button). So you want to use `isset($_POST['submit'-form'])` in your statement. – Qirel Sep 15 '16 at 13:45
  • See http://stackoverflow.com/q/4559925/476 – deceze Sep 15 '16 at 13:48
  • Also, a side-note on security and programming-standards: `mysql_*` functions are deprecated since PHP 5.5 (and **removed entirely** in PHP 7) and you should [stop using them](http://stackoverflow.com/q/12859942) if you can. You should choose another API that allows you to use prepared statements (which you *really should* when dealing with user-input), like `mysqli_*` or PDO - see [choosing an API](http://php.net/manual/en/mysqlinfo.api.choosing.php). Basically, you're wide open to SQL-injection - have a read at [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/q/60174/) – Qirel Sep 15 '16 at 13:48
  • first of all check button name in isset if still dosent work then try input type='submit' because button type submit not work everywhere – Vishnu Bhadoriya Sep 15 '16 at 13:49
  • What do you see if you `var_dump($_POST);`? `isset($_POST['submit-form'])` should work fine with the form you have. Don't check for `!empty($_POST['submit-form'])` because it's currently being submitted as a blank value. – gen_Eric Sep 15 '16 at 14:01
  • Besides the gaping SQL Injection, i see no way why you should check for the existence of POST variables because the form does not postback to itself – x13 Sep 15 '16 at 14:02
  • @ThisName You better expand on the reasoning here, because I'm not following… – deceze Sep 15 '16 at 14:05
  • @deceze The page that posts to form-submit.php is not the same page as form-submit.php, so unless the user enters an URL manually (in which case you need to check for the existence of the form values and not the submit button) you can safely assume that the request came from a form that contains that button. – x13 Sep 15 '16 at 14:10
  • @ThisName Not really. Users may invoke the URL again from their browser history as GET request, or search engines may stumble across it. Asserting the correct HTTP method is a good idea for an HTTP endpoint. – deceze Sep 15 '16 at 14:17
  • @RocketHazmat var_dump($_POST) provide the output: array(3) { ["name"]=> string(6) "dajkfs" ["email"]=> string(20) "sjdfasdf@sjdgfsd.com" ["mobile"]=> string(10) "1234786234" } – ABor Sep 15 '16 at 14:58
  • @ABor: Which browser were you using? It's strange that `submit-form` is missing. It should be submitted as a blank value. (It's IE, isn't it?) – gen_Eric Sep 15 '16 at 14:59
  • @RocketHazmat firefox – ABor Sep 15 '16 at 15:00
  • Weird! Firefox should've submitted `submit-form`, it did for me... – gen_Eric Sep 15 '16 at 15:00
  • i don't know what the error is, but the solution provided by deceze worked for me... – ABor Sep 15 '16 at 15:04

3 Answers3

5

You really shouldn't be checking for the existence of a submit button value to begin with. As you see, some slight cosmetic changes to the frontend, like what kind of button is used to submit a form, shouldn't have any repercussions on the backend. The submit button and its value are pretty irrelevant to processing a form.

What you really want to check on the server is either if the request was a POST request, or whether the values which you want to work with are set, or both:

if ($_SERVER['REQUEST_METHOD'] == 'POST') …
if (isset($_POST['name'], $_POST['email'], $_POST['mobile'])) …

The most reasonable thing would be:

if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    header('HTTP/1.0 405 Method Not Allowed');
    exit;
}

or:

if ($_SERVER['REQUEST_METHOD'] != 'POST') {
    header('Location: myform.html');
    exit;
}

After you've asserted that you're dealing with the right HTTP method, process your data:

$data = filter_input_array(INPUT_POST, [
    'name'   => FILTER_DEFAULT,
    'email'  => FILTER_VALIDATE_EMAIL,
    'mobile' => FILTER_DEFAULT
]);

As you see, you don't even need to interact with $_POST directly at all. See http://php.net/filter_input_array.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • Thank you @deceze. I cannot thank you enough. You not only proceeded to answer my question but also provided a better way of doing things, which is critical for a beginner like me. You have taught me one important lesson - "some slight cosmetic changes to the frontend...shouldn't have any repercussions on the backend". Thanks a lot. Btw, if it is not clear for other beginners like me, the solution provided in this reply worked! Cheers. – ABor Sep 15 '16 at 14:39
  • 1
    Tip: Learn more about the HTTP protocol and get into the mindset of *handling HTTP requests* on your server. Get into the habit of testing your server by issuing raw HTTP requests using curl (or whatever other tool you prefer). Get your server to behave as a proper HTTP endpoint. It will make your applications much saner than thinking in terms of HTML buttons and forms. – deceze Sep 15 '16 at 14:44
1

Change your button tag like this. I hope its will help you!

<input name="submit-form" value="Submit" type="submit" class="btn btn-lg btn-success">

Thank you!

Ragu Natarajan
  • 709
  • 3
  • 16
  • 2
    Why should he change the ` – gen_Eric Sep 15 '16 at 13:56
  • The only purpose of a submit button is to send the HTML form's data to the server-side script specified in the form's ACTION attribute. – Ragu Natarajan Sep 15 '16 at 14:01
  • 2
    Yes... so why should it be an ``? ` – gen_Eric Sep 15 '16 at 14:04
  • Please refer this link. I hope its will help you. http://stackoverflow.com/questions/4488317/difference-between-button-and-input – Ragu Natarajan Sep 15 '16 at 14:16
  • 1
    I don't see how that link helps at all. It's from 6 years ago and talks about ***IE6***. In any modern browser, ` – gen_Eric Sep 15 '16 at 14:22
0

You should use an input-element instead of a button.

<button name="submit-form" type="submit" class="btn btn-lg btn-success">
<i class="fa fa-paper-plane" aria-hidden="true"></i>Submit
</button>

Should be replaced by an input like this:

<input name="submit-form" value="ButtonText" type="submit" class="btn btn-lg btn-success" />

The value of an input is the text it displays to the user.

Also, in your question you mention isset('submit') and isset($_POST['submit']), while others are right and this is not an existing name in your HTML code, your PHP code does contain the correct isset($_POST['submit-form']). It causes a little confusion for some 'quick' readers...


As far as the extra !empty($_POST["xyz"])), for your purpose (checking if the form is a postback) that won't be necessary.

x13
  • 2,179
  • 1
  • 11
  • 27
  • 1
    ` – gen_Eric Sep 15 '16 at 13:56
  • Also, the `value` of an `` is *both* the text displayed and the value submitted. ` – gen_Eric Sep 15 '16 at 14:03