SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Enthusiast
    Join Date
    Dec 2013
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    form action = ? vs ""

    Is it a good idea to always strip the query string
    With ? instead of using "" for security?

    I'm not sure when to use one and not the other.

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    I'm unclear about what you're asking. Can you give an example?
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Enthusiast
    Join Date
    Dec 2013
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    I'm unclear about what you're asking. Can you give an example?
    <form action= "" method="get">

    where both " " and ?

    Send info to back to the page that generated the home doc but ? also removes query string.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,053
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    But if you're using GET instead of POST you want the query string no?

  5. #5
    SitePoint Enthusiast
    Join Date
    Dec 2013
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    But if you're using GET instead of POST you want the query string no?
    I think that's the answer to my question. Only use it with post. Thanks. That's how the example in the book does it too.

  6. #6
    SitePoint Enthusiast
    Join Date
    Dec 2013
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm still very confused.

    i thought POST automatically doesn't show the password in the URL.

    So what's the point of doing form action=? To strip it?

  7. #7
    SitePoint Enthusiast
    Join Date
    Dec 2013
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's the code:

    //authors.html.php
    //By clicking Add new author, this passes query string to

    Code PHP:
    <?php include_once $_SERVER['DOCUMENT ROOT'] . '/includes/helpers.inc.php'; ?>
    <!DOCTYPE html>
    <html lang="en>
    <head>
    <meta charset="utf-8">
    <title> Manage Authors</title>
    </head>
    <body>
    <h1> Manage Authors</h1> 
    <p><a href ="?add> Add new Author</a></p>
    <u1>
    <?php foreach($authors as $author): ?>
    <l1> 
    <form action= "?" method ="post">
    <div>
    <?php htmlout($author['name']); ?>
    <input type="hidden" name="id" value"<?php
    echo $author['id];?>">
    <input type="submit" name="action" value="Edit">
    <input type="submit" name="action" value="Delete">
    </div>
    </form>
    </li>
    <?php endforeach; ?>
    </u1>
    <p><a href= ".."> Return to JMS home</a></p>
    </body>
    </html>
    //authors.html.php
    Code PHP:
    if(isset($_GET['add']))
    {
    $pageTitle = 'New Author';
    $action = 'addform';
    $name = '';
    $email = '';
    $id = '';
    $buton = 'Add author';
    exit();
    }

    //and sends it to form.html.php
    Code PHP:
    <!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset ="utf-8">
    <title> <?php htmlout($pageTitle); ?></title>
    </head>
    <body>
    <h1> ?php htmlout($pageTitle); ?>  </h1>
    <form action ="?" <?php htmlout($action); ?> method = "post">
    <div>
    <label for ="name">Name: <input type ="text" name="name" id ="name" value="<?php htmlout($name); ?>"></label>
    </div>
    <div>
    <label for ="email">Email: <input type ="text" name="email" id="email value =<?php htmlout($email); ?>"></label>
    </div> 
    <input type="hidden" name ="id" value ="<?php htmlout($id); ?>">
    <input type="submit" value="<?php htmlout($button);>">
    </div>
    </form>
    </body>
    </html>
    So, you when you click the link with the query string, it sets the action to addform,
    but I don't understand why you're retrieving it with a GET when it's submitted from authors.html.php with a POST. it's posted exactly that way in the book, so it's either wrong, or I don't something with the basic foundaiton of hwo GETs and POSTs work.

    I also don't understand why we strip off the query with form action = "?" . Wouldn't that happen automatically since it's being bounced to form.html.php whose form action ="POST"? I thought POST don't keep query strings in their URLs.
    Last edited by Mittineague; Dec 25, 2013 at 22:26. Reason: reformatting bbcode tags

  8. #8
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,053
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    I think what's missing here is the REQUEST array.
    It may be that it will be introduced further along in the book.

    The REQUEST array can deal with both GET and POST arrays.
    I prefer to not use REQUEST and write code that deals only with either GET or POST, not both.
    But I have seen a lot of code that does use REQUEST. It's fine to use I guess, just not my preference.

    My guess is that the book is using a single file to handle both GET and POST arrays, and it wants to make sure that if someone tacks on some GET variables onto the URL (easily seen by looking at the address bar) when they submit a POST form the code that handles the request won't mess up.

  9. #9
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by John Crutchfield View Post
    So, you when you click the link with the query string, it sets the action to addform,
    but I don't understand why you're retrieving it with a GET when it's submitted from authors.html.php with a POST. it's posted exactly that way in the book, so it's either wrong, or I don't something with the basic foundaiton of hwo GETs and POSTs work.
    It's not POSTed. The edit and delete buttons do a POST, but the add is a simple link, with a GET parameter.

    Quote Originally Posted by John Crutchfield View Post
    I also don't understand why we strip off the query with form action = "?" . Wouldn't that happen automatically since it's being bounced to form.html.php whose form action ="POST"? I thought POST don't keep query strings in their URLs.
    If you set action to "" in the form, it will POST to exactly the URL the user is currently on. So if you're on something.php?add, the form will be posted to something.php?add. If you set the action to ?, the query string will be replaced (with nothing, in this case), thus the url becomes something.php?

    It is important to note that GET and POST are not mutually exclusive. If you post data to a URL with query parameters, but GET and POST variables will be set.

    Quote Originally Posted by Mittineague View Post
    The REQUEST array can deal with both GET and POST arrays.
    I prefer to not use REQUEST and write code that deals only with either GET or POST, not both.
    But I have seen a lot of code that does use REQUEST. It's fine to use I guess, just not my preference.
    $_REQUEST should be removed altogether. It's up to the programmer to know where data comes from. $_REQUEST is like saying "well, I don't care how you send the data, just send it any which way", which is just lazy. Especially using $_REQUEST with login forms is a bad idea since 1) that data really should be POSTed and 2) opening up GET makes it lot easier to hammer the URL to try and get access.
    An my book, any use of $_REQUEST is considered a bug. (and even any direct use of $_GET and $_POST I consider a bug, but that's beyond the scope of this thread).
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  10. #10
    SitePoint Enthusiast
    Join Date
    Dec 2013
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    It's not POSTed. The edit and delete buttons do a POST, but the add is a simple link, with a GET parameter.


    If you set action to "" in the form, it will POST to exactly the URL the user is currently on. So if you're on something.php?add, the form will be posted to something.php?add. If you set the action to ?, the query string will be replaced (with nothing, in this case), thus the url becomes something.php?

    It is important to note that GET and POST are not mutually exclusive. If you post data to a URL with query parameters, but GET and POST variables will be set.


    $_REQUEST should be removed altogether. It's up to the programmer to know where data comes from. $_REQUEST is like saying "well, I don't care how you send the data, just send it any which way", which is just lazy. Especially using $_REQUEST with login forms is a bad idea since 1) that data really should be POSTed and 2) opening up GET makes it lot easier to hammer the URL to try and get access.
    An my book, any use of $_REQUEST is considered a bug. (and even any direct use of $_GET and $_POST I consider a bug, but that's beyond the scope of this thread).
    this was very helpful. thanks.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •