SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    a limit to the amount of times $_SERVER['PHP_SELF'] can be used?

    I'm in the middle of designing this script with php and mysql and was wondering whether or not there was a limit to the amount of times you could use $_SERVER... in a given script. My script has the usual form should the submit not be set yet...BUT then I go into several more conditional statements that will bring about another web form. Will this not work or must I merely change the (!$_POST ['submit']) variable for each condition->changing submit to another word for the nested loops and conditionals. Any help will be great.

  2. #2
    SitePoint Addict
    Join Date
    Jul 2008
    Location
    sudo rm -rf /
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean "the amount of times you could use"?

  3. #3
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For example, I have one conditional stating that if the form is not submitted, create one-->else give some errors: Within the first conditional, if it's successful, it will create another form which serves itself back to the current page-->Then I do this again within the conditional of the second conditional-->So I'm wondering whether or not it is a limit on the amount of times I can have the page serve back to itself

  4. #4
    SitePoint Addict
    Join Date
    Jul 2008
    Location
    sudo rm -rf /
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can you post some code?

  5. #5
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    <?php

    //form not yet submitted
    //display initial form

    //includes
    include 'config.php';

    //open db connection
    $connection = mysql_connect ($host, $user, $pass) or die ('Unable to connect!');

    //select db
    mysql_select_db ($db) or die ('Unable to select db!');

    $query = "SELECT id, username FROM users";
    $result = mysql_query($query) or die ("Error in $query. ".mysql_error());


    if (!$_POST['submit'])

    {
    ?>
    <table>
    <form action="<?=$_SERVER['PHP_SELF']; ?>" method="POST">
    <tr>
    <td>User</td>
    <td><select name="uid" size="50"><option selected value="">Select user</option>
    <option value="">---------------</option>
    <?php
    while ($users = mysql_fetch_array($result))
    {
    $uid = $users['id'];
    $name = htmlspecialchars($users['name']);
    echo "<option value='$uid'>$name</option>/n";
    }
    ?>
    </select>
    </td>

    <tr>
    <td>Event Name</td>
    <td><input size="50" maxlength="75" type="text" name="title" /></td>
    </tr>
    <tr>
    <td>How many days will the event be?</td>
    <td><input size="50" maxlength="75" type="text" name="days" /></td>
    </tr>
    <tr>
    <td><input type="Submit" name="submit" value="Continue" /></td>
    </tr>
    </form>
    </table>
    <?php
    }
    else
    {

    //set up error list array
    $errorList = array();

    $title = $_POST['title'];
    $days = $_POST['days'];
    $uid = $_POST['uid'];

    //validate text input

    if (trim($title) == '')
    {
    $errorList[] = "Invalid entry: Title";
    }

    if (trim($days) == '' || !is_numeric(trim($_POST['days'])))
    {
    $errorList[] = "Invalid entry: Number of days";
    }

    if ($uid == '')
    {
    $errorList[] = "Invalid entry: Select an author";
    }

    //check for errors
    //if none found
    if (sizeof ($errorList) == 0)
    {
    //generate and execute query
    $query = "INSERT INTO activity (title, timestamp) VALUES ('$title', NOW())";

    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());

    //retrieve activity id #
    $aid = mysql_insert_id();

    $query = "INSERT IGNORE INTO ueventts (uid, aid) VALUES ('$uid', '$aid')";

    //close db connection
    mysql_close($connection);

    if (!$_POST['submit'])
    {
    ?>
    <table>
    <form action="<?=$_SERVER['PHP_SELF']; ?>" method="POST">
    <?php for ($x=0; $x<$_POST['days']; $x++)
    {
    ?>
    <tr>
    <td>Select the date</td>
    <td><select name="month"><option value=" " selected="selected">Month</option><option value="01">01</option><option value="02">02</option><option value="03">03</option><option value="04">04</option><option value="05">05</option><option value="06">06</option><option value="07">07</option><option value="08">08</option><option value="09">09</option><option value="10">10</option><option value="11">11</option><option value="12">12</option></select>
    </td>
    <td><select name="day"><option value=" " selected="selected">Day</option><option value="01">01</option><option value="02">02</option><option value="03">03</option><option value="04">04</option><option value="05">05</option><option value="06">06</option><option value="07">07</option><option value="08">08</option><option value="09">09</option><option value="10">10</option><option value="11">11</option><option value="12">12</option><option value="13">13</option><option value="14">14</option><option value="15">15</option><option value="16">16</option><option value="17">17</option><option value="18">18</option><option value="19">19</option><option value="20">20</option><option value="21">21</option><option value="22">22</option><option value="23">23</option><option value="24">24</option><option value="25">25</option><option value="26">26</option><option value="27">27</option><option value="28">28</option><option value="29">29</option><option value="30">30</option><option value="31">31</option></select>
    </td>
    <td><select name="year"><option value=" " selected="selected">Year</option><option value="2008">2008</option><option value="2009">2009</option><option value="2010">2010</option><option value="2011">2011</option><option value="2012">2012</option><option value="2013">2013</option><option value="2014">2014</option><option value="2015">2015</option><option value="2016">2016</option><option value="2017">2017</option><option value="2018">2018</option><option value="2019">2019</option><option value="2020">2020</option></select>
    </td>
    <td>How many timeslots for this day</td>
    <td><input size="50" maxlength="75" type="text" name="timeslots" /></td>
    </tr><br />
    <?php
    }
    ?>
    <tr>
    <td><input type="Submit" name="submit" value="Continue" /></td>
    </tr>
    </form>
    </table>
    <?php
    else
    {
    //validate the next form
    //set up error list array
    $errorList = array();

    $month = $_POST['month'];
    $day = $_POST['day'];
    $year = $_POST['year'];
    $timeslots = $_POST['timeslots'];

    //validate text input

    if (trim($month) == '')
    {
    $errorList[] = "Invalid entry: Month";
    }

    if (trim($day) == '' || !is_numeric(trim($_POST['day'])))
    {
    $errorList[] = "Invalid entry: The Day";
    }

    if (trim($year) == '' || !is_numeric(trim($_POST['year'])))
    {
    $errorList[] = "Invalid entry: Select a year";
    }

    if (trim($timeslots) == '' || !is_numeric(trim($_POST['timeslots'])))
    {
    $errorList[] = "Invalid entry: Number of timeslots";
    }

    //check for errors
    //if none found
    if (sizeof ($errorList) == 0)
    {
    //open db connection
    $connection = mysql_connect ($host, $user, $pass) or die ('Unable to connect!');

    //select db
    mysql_select_db ($db) or die ('Unable to select db!');

    //generate and execute query
    for ($i=0; $i<count($month); $i++)
    {
    $query = "INSERT IGNORE INTO edates (aid, day, timeslots) VALUES ('$aid', CONCAT('$year[$i]','-','$month[$i]','-','$year[$i]'), '$timeslots')";

    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());


    //close db connection
    mysql_close($connection);
    }

    if (!$_POST['submit'])
    {
    //open db connection
    $connection = mysql_connect ($host, $user, $pass) or die ('Unable to connect!');

    //select db
    mysql_select_db ($db) or die ('Unable to select db!');

    $query = "SELECT aid, day, timeslots FROM edates WHERE aid=$aid";
    $result = mysql_query ($query) or die ("Unable to find any days for this event");

    while ($row = mysql_fetch_object ($result))
    {
    ?>
    <table>
    <form action="<?=$_SERVER['PHP_SELF']; ?>" method="POST">
    <tr>
    <td><?php echo $row->day; ?></td>
    <?php for ($x=0; $x<$row->$timeslots; $x++)
    {
    ?>
    <td><input size="50" maxlength="75" type="text" name="hour" /></td>:
    <td><input size="50" maxlength="75" type="text" name="min" /></td>
    <td><input type=radio name="ampm" value="am" id="radio1"><label for="radio1">am</label>
    <input type=radio name="ampm" value="pm" id="radio2"><label for="radio2">pm</label>
    </td>
    <td><input size="50" maxlength="75" type="text" name="duration" /></td>
    <?php
    }
    ?>
    </tr>
    <tr>
    <td><input type="Submit" name="submit" value="Continue" /></td>
    </tr>
    </form>
    </table>
    <?php
    }

    }
    else
    {
    //validate the next form
    //set up error list array
    $errorList = array();

    $hour = $_POST['hour'];
    $min = $_POST['min'];
    $ampm = $_POST['ampm'];
    $duration = $_POST['duration'];

    //validate text input

    if (trim($hour) == '' || !is_numeric(trim($_POST['hour'])))
    {
    $errorList[] = "Invalid entry: Hour";
    }

    if (trim($min) == '' || !is_numeric(trim($_POST['min'])))
    {
    $errorList[] = "Invalid entry: Number of minutes";
    }

    if (trim($ampm) == '' || !is_numeric(trim($_POST['ampm'])))
    {
    $errorList[] = "Invalid entry: Time of day";
    }

    if (trim($duration) == '')
    {
    $errorList[] = "Invalid entry: Duration of event";
    }

    if (sizeof ($errorList) == 0)
    {
    $query = "INSERT INTO edetails(aid, time, ampm, duration) VALUES($aid, CONCAT('$hour',':','$min',':','00'), '$ampm', '$duration')";
    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());

    echo "Dates and times successfully added! <a href=index.php>Go back to the events list</a>.";
    }

    else
    {
    //errors found
    //print as list
    echo 'The following errors were encountered:';
    echo "<br />";
    echo "<ul>";
    for ($x=0; $x<sizeof($errorList); $x++)
    {
    echo "<li>$errorList[$x]";
    }
    echo "</ul></font>";

    mysql_close($connection);
    }



    }
    }
    else
    {
    //errors found
    //print as list
    echo 'The following errors were encountered:';
    echo "<br />";
    echo "<ul>";
    for ($x=0; $x<sizeof($errorList); $x++)
    {
    echo "<li>$errorList[$x]";
    }
    echo "</ul></font>";
    }


    }

    }
    else
    {
    //errors found
    //print as list
    echo 'The following errors were encountered:';
    echo "<br />";
    echo "<ul>";
    for ($x=0; $x<sizeof($errorList); $x++)
    {
    echo "<li>$errorList[$x]";
    }
    echo "</ul></font>";
    }
    }
    ?>

  6. #6
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    very sorry for the long post!!!

  7. #7
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, there is no limit to how many times you can have a form(s) submit to the same url.

  8. #8
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, thank you for that. I was under the assumption that since I had so many loops and conditionals some magical limit had either be reached or the script is getting confused with all the forms checking for the same condition of whether 'submit' has been pushed.

  9. #9
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,099
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I have read in many places that action="" is more secure than action="<?=$_SERVER['PHP_SELF']; ?>"

    I can't remember why but I no longer use $_SERVER['PHP_SELF'] anymore.

    Possibly someone can enlighten.
    What I lack in acuracy I make up for in misteaks

  10. #10
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Really? You don't have to specify anything and can just leave it blank?

  11. #11
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Most variables in php are user supplied data. PHP_SELF can be tainted by users if your webserver is configured to accept PATH_INFO(common).
    As always, htmlspecialchars() must be used before putting non markup data into an html document.

  12. #12
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Aha, I understand...I'm in the middle of downloading this netbeans so that I can validate my php. I'm so far lost in my own loops that I REFUSE to go through it manually.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •