Form action = ? vs ""

Is it a good idea to always strip the query string
With ? instead of using “” for security?

I’m not sure when to use one and not the other.

I’m unclear about what you’re asking. Can you give an example?

<form action= “” method=“get”>

where both " " and ?

Send info to back to the page that generated the home doc but ? also removes query string.

But if you’re using GET instead of POST you want the query string no?

I think that’s the answer to my question. Only use it with post. Thanks. That’s how the example in the book does it too.

I’m still very confused.

i thought POST automatically doesn’t show the password in the URL.

So what’s the point of doing form action=? To strip it?

Here’s the code:

//By clicking Add new author, this passes query string to

<?php include_once $_SERVER['DOCUMENT ROOT'] . '/includes/'; ?>
<!DOCTYPE html>
<html lang="en>
<meta charset="utf-8">
<title> Manage Authors</title>
<h1> Manage Authors</h1> 
<p><a href ="?add> Add new Author</a></p>
<?php foreach($authors as $author): ?>
<form action= "?" method ="post">
<?php htmlout($author['name']); ?>
<input type="hidden" name="id" value"<?php
echo $author['id];?>">
<input type="submit" name="action" value="Edit">
<input type="submit" name="action" value="Delete">
<?php endforeach; ?>
<p><a href= ".."> Return to JMS home</a></p>


$pageTitle = 'New Author';
$action = 'addform';
$name = '';
$email = '';
$id = '';
$buton = 'Add author';

//and sends it to form.html.php

<!DOCTYPE html>
<html lang="en">
<meta charset ="utf-8">
<title> <?php htmlout($pageTitle); ?></title>
<h1> ?php htmlout($pageTitle); ?>  </h1>
<form action ="?" <?php htmlout($action); ?> method = "post">
<label for ="name">Name: <input type ="text" name="name" id ="name" value="<?php htmlout($name); ?>"></label>
<label for ="email">Email: <input type ="text" name="email" id="email value =<?php htmlout($email); ?>"></label>
<input type="hidden" name ="id" value ="<?php htmlout($id); ?>">
<input type="submit" value="<?php htmlout($button);>">

So, you when you click the link with the query string, it sets the action to addform,
but I don’t understand why you’re retrieving it with a GET when it’s submitted from authors.html.php with a POST. it’s posted exactly that way in the book, so it’s either wrong, or I don’t something with the basic foundaiton of hwo GETs and POSTs work.

I also don’t understand why we strip off the query with form action = “?” . Wouldn’t that happen automatically since it’s being bounced to form.html.php whose form action =“POST”? I thought POST don’t keep query strings in their URLs.

I think what’s missing here is the REQUEST array.
It may be that it will be introduced further along in the book.

The REQUEST array can deal with both GET and POST arrays.
I prefer to not use REQUEST and write code that deals only with either GET or POST, not both.
But I have seen a lot of code that does use REQUEST. It’s fine to use I guess, just not my preference.

My guess is that the book is using a single file to handle both GET and POST arrays, and it wants to make sure that if someone tacks on some GET variables onto the URL (easily seen by looking at the address bar) when they submit a POST form the code that handles the request won’t mess up.

It’s not POSTed. The edit and delete buttons do a POST, but the add is a simple link, with a GET parameter.

If you set action to “” in the form, it will POST to exactly the URL the user is currently on. So if you’re on something.php?add, the form will be posted to something.php?add. If you set the action to ?, the query string will be replaced (with nothing, in this case), thus the url becomes something.php?

It is important to note that GET and POST are not mutually exclusive. If you post data to a URL with query parameters, but GET and POST variables will be set.

$_REQUEST should be removed altogether. It’s up to the programmer to know where data comes from. $_REQUEST is like saying “well, I don’t care how you send the data, just send it any which way”, which is just lazy. Especially using $_REQUEST with login forms is a bad idea since 1) that data really should be POSTed and 2) opening up GET makes it lot easier to hammer the URL to try and get access.
An my book, any use of $_REQUEST is considered a bug. (and even any direct use of $_GET and $_POST I consider a bug, but that’s beyond the scope of this thread).

this was very helpful. thanks.