Keeping form elements in place after redirect

C

Chris

I have a form that is processed by a php page and then redirected by
the same php page back to the form page again.

After the page has redirected back it clears the data entered in the
form's textfield and combo selections. Is there a simple way of
mainting the user's text/selections after the form has been
redirected?

Cheers,

Chris
 
B

Beauregard T. Shagnasty

Chris wrote (a question for a php group):
I have a form that is processed by a php page and then redirected by
the same php page back to the form page again.

...as you would do if there were errors or omissions in the filled-in
form.
After the page has redirected back it clears the data entered in the
form's textfield and combo selections. Is there a simple way of
mainting the user's text/selections after the form has been
redirected?

You have to send back the values and re-display them.

Example:
$contactname = $_POST['contactname'];
$email = $_POST['email'];

........

<div>
<p>Your name:</p>
<label><input type="text" name="contactname" size="30"
value="<?php echo "$strcontact";?>"></label>
</div>
<div>
<p>Your email address:</p>
<label><input type="text" name="email" size="30"
value="<?php echo "$stremail";?>"></label>
</div>
 
B

Bone Ur

Well bust mah britches and call me cheeky, on Wed, 21 Nov 2007 19:57:57 GMT
Chris scribed:
I have a form that is processed by a php page and then redirected by
the same php page back to the form page again.

After the page has redirected back it clears the data entered in the
form's textfield and combo selections. Is there a simple way of
mainting the user's text/selections after the form has been
redirected?

Use session variables, but do so carefully.
 
A

Adrienne Boswell

Gazing into my crystal ball I observed Chris <matchett123
@googlemail.com> writing in @c30g2000hsa.googlegroups.com:
I have a form that is processed by a php page and then redirected by
the same php page back to the form page again.

After the page has redirected back it clears the data entered in the
form's textfield and combo selections. Is there a simple way of
mainting the user's text/selections after the form has been
redirected?

Cheers,

Chris

Is the form posting to itself? If it is, you _should_ have those values
already available, and just show them. If not, then you are going to
have to put those values into a querystring or session variables, and
read them that way. A form posting to itself, and not _redirecting_ to
itself is a lot easier.
 
B

Beauregard T. Shagnasty

Adrienne said:
.. A form posting to itself, and not _redirecting_ to itself is a lot
easier.

Absolutely.

<form id="frmcontact" method="post" action="<?php echo
$_SERVER['PHP_SELF']?>">
 
B

BootNic

Adrienne said:
.. A form posting to itself, and not _redirecting_ to itself is a lot
easier.

Absolutely.

<form id="frmcontact" method="post" action="<?php echo
$_SERVER['PHP_SELF']?>">

$_SERVER['SCRIPT_NAME'] would be a better option over $_SERVER['PHP_SELF']
 
B

Beauregard T. Shagnasty

BootNic said:
Beauregard T. Shagnasty said:
<form id="frmcontact" method="post" action="<?php echo
$_SERVER['PHP_SELF']?>">

$_SERVER['SCRIPT_NAME'] would be a better option over $_SERVER['PHP_SELF']

I see they return identical results. Is there a reason you think
SCRIPT_NAME is better? I'm willing to listen, though I've been using
PHP_SELF for many years.

http://us3.php.net/reserved.variables

'PHP_SELF'
The filename of the currently executing script, relative to the document
root. For instance, $_SERVER['PHP_SELF'] in a script at the address
http://example.com/test.php/foo.bar would be /test.php/foo.bar. The
__FILE__ constant contains the full path and filename of the current
(i.e. included) file.

'SCRIPT_NAME'
Contains the current script's path. This is useful for pages which need
to point to themselves. The __FILE__ constant contains the full path and
filename of the current (i.e. included) file.
 
J

Jonathan N. Little

Beauregard said:
BootNic said:
Beauregard T. Shagnasty said:
<form id="frmcontact" method="post" action="<?php echo
$_SERVER['PHP_SELF']?>">
$_SERVER['SCRIPT_NAME'] would be a better option over $_SERVER['PHP_SELF']

I see they return identical results. Is there a reason you think
SCRIPT_NAME is better? I'm willing to listen, though I've been using
PHP_SELF for many years.

http://us3.php.net/reserved.variables

'PHP_SELF'
The filename of the currently executing script, relative to the document
root. For instance, $_SERVER['PHP_SELF'] in a script at the address
http://example.com/test.php/foo.bar would be /test.php/foo.bar. The
__FILE__ constant contains the full path and filename of the current
(i.e. included) file.

'SCRIPT_NAME'
Contains the current script's path. This is useful for pages which need
to point to themselves. The __FILE__ constant contains the full path and
filename of the current (i.e. included) file.


http://www.google.com/search?hl=en&...ult&cd=1&q=PHP_SELF+xss+vulnerability&spell=1
PHP_SELF xss vulnerability - Google Search
 
B

BootNic

BootNic said:
Beauregard T. Shagnasty said:
<form id="frmcontact" method="post" action="<?php echo
$_SERVER['PHP_SELF']?>">

$_SERVER['SCRIPT_NAME'] would be a better option over
$_SERVER['PHP_SELF']

I see they return identical results. Is there a reason you think
SCRIPT_NAME is better? I'm willing to listen, though I've been using
PHP_SELF for many years.

They may return the same results under some conditions.

Jonathan has given a link for more information. He has also given an
example in another thread

http://groups.google.com/group/alt.html/browse_thread/thread/91253a1c3a5844 ff

http://groups.google.com/group/alt.html/msg/b6e9aebddbae21b3
http://us3.php.net/reserved.variables

'PHP_SELF'
The filename of the currently executing script, relative to the
document root. For instance, $_SERVER['PHP_SELF'] in a script at the
address http://example.com/test.php/foo.bar would be
/test.php/foo.bar. The __FILE__ constant contains the full path and
filename of the current (i.e. included) file.

'SCRIPT_NAME'
Contains the current script's path. This is useful for pages which
need to point to themselves. The __FILE__ constant contains the full
path and filename of the current (i.e. included) file.

http://example.com/test.php/foo.bar would return
/test.php
 
B

Beauregard T. Shagnasty

Jonathan said:
Beauregard said:
BootNic said:
:
<form id="frmcontact" method="post" action="<?php echo
$_SERVER['PHP_SELF']?>">
$_SERVER['SCRIPT_NAME'] would be a better option over $_SERVER['PHP_SELF']

I see they return identical results. Is there a reason you think
SCRIPT_NAME is better? I'm willing to listen, though I've been using
PHP_SELF for many years.

http://us3.php.net/reserved.variables

'PHP_SELF'
The filename of the currently executing script, relative to the document
root. For instance, $_SERVER['PHP_SELF'] in a script at the address
http://example.com/test.php/foo.bar would be /test.php/foo.bar. The
__FILE__ constant contains the full path and filename of the current
(i.e. included) file.

'SCRIPT_NAME'
Contains the current script's path. This is useful for pages which need
to point to themselves. The __FILE__ constant contains the full path and
filename of the current (i.e. included) file.

http://www.google.com/search?hl=en&...ult&cd=1&q=PHP_SELF+xss+vulnerability&spell=1
PHP_SELF xss vulnerability - Google Search

Most of the remarks there seem to refer to Wordpress. Is that the only
place the vulnerability exists?

One page said to append: /"><script>alert(1)</script>
to your URL. "If you receive a JavaScript popup your template is
vulnerable to this attack." None of my sites return a popup. Should I
worry? (No Wordpress in use.)
 
B

Beauregard T. Shagnasty

BootNic said:
Beauregard T. Shagnasty said:
I see they return identical results. Is there a reason you think
SCRIPT_NAME is better? I'm willing to listen, though I've been
using PHP_SELF for many years.

They may return the same results under some conditions.

Jonathan has given a link for more information. He has also given an
example in another thread

http://groups.google.com/group/alt.html/browse_thread/thread/91253a1c3a5844 ff

http://groups.google.com/group/alt.html/msg/b6e9aebddbae21b3

Ah yes. I remember that now. Thanks.
 
J

Jonathan N. Little

Beauregard said:
Jonathan N. Little wrote:

Most of the remarks there seem to refer to Wordpress. Is that the only
place the vulnerability exists?

One page said to append: /"><script>alert(1)</script>
to your URL. "If you receive a JavaScript popup your template is
vulnerable to this attack." None of my sites return a popup. Should I
worry? (No Wordpress in use.)

No, it is PHP specific. But is also depends on the server security
settings and magic-quotes. But if you use SCRIPT_NAME you will only get
the script name and not anything trailing as with PHP_SELF. That way is
some other clever bastard finds away around the escaping of the trailing
bits it would matter because SCRIPT_NAME doesn't parse it...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top