59

How do I make a self-posting/self-submitting form, i.e. a form that submits the results to itself, instead of submitting to another form?

sashoalm
  • 75,001
  • 122
  • 434
  • 781
user544079
  • 16,109
  • 42
  • 115
  • 171
  • 7
    You can also just leave the action off, and it defaults to the current page. – Marvo Apr 29 '11 at 01:06
  • 1
    @Marvo There is an old bug that probably isn't too relevant today with WebKit. See [my answer](http://stackoverflow.com/questions/5826784/php-submit-to-self/5826792#5826792). – alex Apr 29 '11 at 01:13

6 Answers6

88

The proper way would be to use $_SERVER["PHP_SELF"] (in conjunction with htmlspecialchars to avoid possible exploits). You can also just skip the action= part empty, which is not W3C valid, but currently works in most (all?) browsers - the default is to submit to self if it's empty.

Here is an example form that takes a name and email, and then displays the values you have entered upon submit:

<?php if (!empty($_POST)): ?>
    Welcome, <?php echo htmlspecialchars($_POST["name"]); ?>!<br>
    Your email is <?php echo htmlspecialchars($_POST["email"]); ?>.<br>
<?php else: ?>
    <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
        Name: <input type="text" name="name"><br>
        Email: <input type="text" name="email"><br>
        <input type="submit">
    </form>
<?php endif; ?>
madalinivascu
  • 32,064
  • 4
  • 39
  • 55
Phphelp
  • 1,290
  • 2
  • 14
  • 25
  • 6
    Leaving action value empty is not W3C Valid. Just to notice. However it works well. – Grzegorz Sep 17 '13 at 21:51
  • How do you do it so that it only runs `Welcome, !
    Your email is .
    ` and doesn't `echo` it like that?     – Okx Jan 18 '15 at 12:36
  • 1
    Then what should we use here? – Farhad Mar 11 '18 at 04:18
  • 1
    Just a warning here that PHP_SELF doesn't always work - I've just found this out as I had a form which was working with Joomla - when I turned on URL re-writing this PHP_SELF broke the form as according to Joomla PHP_SELF is "/index.php" (the site homepage) not "/contact-us". I guess that's because index.php is calling it and I suppose there is some variable somewhere that includes the entire re-wrote URL? – TheKLF99 Aug 19 '19 at 06:42
  • Just found out that $_SERVER('REQUEST_URI') works much better and actually gets the url even if it's been rewrote. – TheKLF99 Aug 19 '19 at 06:59
11

I guess , you means $_SERVER['PHP_SELF']. And if so , you really shouldn't use it without sanitizing it first. This leaves you open to XSS attacks.

The if(isset($_POST['submit'])) condition should be above all the HTML output, and should contain a header() function with a redirect to current page again (only now , with some nice notice that "emails has been sent" .. or something ). For that you will have to use $_SESSION or $_COOKIE.

And please. Stop using $_REQUEST. It too poses a security threat.

tereško
  • 58,060
  • 25
  • 98
  • 150
6

That will only work if register_globals is on, and it should never be on (unless of course you are defining that variable somewhere else).

Try setting the form's action attribute to ?...

<form method="post" action="?">
   ...
</form>

You can also set it to be blank (""), but older WebKit versions had a bug.

alex
  • 479,566
  • 201
  • 878
  • 984
4

Try this

<form method="post" id="reg" name="reg" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"

Works well :)

Robot Boy
  • 1,856
  • 1
  • 17
  • 17
3

Your submit button doesn't have a name. Add name="submit" to your submit button.

If you view source on the form in the browser, you'll see how it submits to self - the form's action attribute will contain the name of the current script - therefore when the form submits, it submits to itself. Edit for vanity sake!

David Fells
  • 6,678
  • 1
  • 22
  • 34
  • 1
    Adding names to submit buttons is actually discouraged because they aren't submitted to the server in the first place and accessing forms by name in JavaScript is also deprecated. – Ry- Apr 29 '11 at 01:07
  • @minitech I thought the `name` attribute was submitted to the server? – alex Apr 29 '11 at 01:10
  • 3
    Don't down vote when you don't have the right response. Buttons most certainly are submitted in post back. Go test it! – David Fells Apr 29 '11 at 01:13
3

  1. change
    <input type="submit" value="Submit" />
    to
    <input type="submit" value="Submit" name='submit'/>

  2. change
    <form method="post" action="<?php echo $PHP_SELF;?>">
    to
    <form method="post" action="">

  3. It will perform the code in if only when it is submitted.
  4. It will always show the form (html code).
  5. what exactly is your question?
Itay Moav -Malimovka
  • 52,579
  • 61
  • 190
  • 278
  • Adding names to submit buttons is actually discouraged because they aren't submitted to the server in the first place and accessing forms by name in JavaScript is also deprecated. – Ry- Apr 29 '11 at 01:08
  • @minitech ? I actually see the submitted values of the input type=submit. What do you do so it is deprecated on your system? – Itay Moav -Malimovka Apr 29 '11 at 01:10
  • @minitech Where does it say accessing forms by name is deprecated? Do you mean the old `forms.one.submit`? – alex Apr 29 '11 at 01:11
  • Yes, that's what I meant. @Itay Moav I missed the PHP code in post 1, can you edit your post so I can vote you back up again? – Ry- Apr 29 '11 at 01:19