PHP web submission form: Am I doing it wrong?

[Ichinisan]

This is a simplified version of what I'm working on:

<html>
<body>
<?php
$field1    = $_REQUEST['field1'];
$submitted = $_REQUEST['submitted'];
?>
<form method='post' action='index.php' onReset="return confirm('Do you really want to clear the form?')">
<label  for='field1'>Field 1:<br>
<input name='field1' id='field1' type='text' value='<?php echo $field1; ?>'></label><input id='submit' name='submit' type='submit' value='Submit'> <input id='clear' name='clear' type='reset'>
<input id='submitted' name='submitted' type='hidden' value='<?php echo "$submitted"; ?>'>
<?php
if ($submitted == "yes")
{
	// The value of "$submitted" was set, so this is not the first time the page has loaded
	// The user has clicked the Submit button

	if ($field1=="")
	{
		// Notify user that required fields must be completed
		echo '<script type=\'text/javascript\'>alert(\'Ensure that required fields are completed.\r\n\r\n'.$validation.'\');</script>';
	}
	else
	{
		// Send email
		$emailto = "fake@recipient.address";
		$subject = "[Web Submission]";
		$message = "Field 1:\r\n$field1\r\n\r\n";
		$headers = "From: No Reply <noreply@nowhere.com>\r\n";
		mail($emailto,$subject,$message,$headers);
		echo "<script>alert('Form submitted.\\r\\n\\r\\nAn email message has been dispatched to $emailto')</script>";
	}
}
else
{
	// The value of "$submitted" was not set, so this is the first time the page has loaded
	// The user has not clicked the Submit button
	echo '<script type=\'text/javascript\'>document.getElementById("submitted").value="yes";</script>';
}
?>
</form>
</body>
</html>

The actual form has MANY more fields and validates required fields with nested conditions. I deliberately designed it so fields aren't cleared when the user submits. This allows the user to print the page or make a quick correction and re-submit. The "Reset" button works fine, but only when it's used before submitting the form. After the form has been submitted, the "Reset" button generates a prompt, but clicking "OK" doesn't clear anything.

After analyzing the code, I know WHY this happens. I believe I can change the reset event to run a javascript function instead of just the prompt, and the function can manually clear each variable.

I'm not trained in HTML, PHP, or web development. I've just been forced to re-write some things. You PHP gurus have been a huge help in the past. Maybe one of you can tell me if there's a better / simpler approach to accomplish the same thing I'm doing here.

Thanks!

 

[Ichinisan]

I basically had to get rid of the "onReset" event and use a regular button instead of setting it as a "Reset" type. The regular button generates a choice() prompt, and sets the original URL if the user selects "OK."

 

[beginner99]

IMHO alert should be avoided.

My pattern is to submit to a new page not to itself.If validation fails, put the form data in the session variable. redirect to the form and fill the fields from the session. And of course you add the validation error message to the session and display it if set.

pseudo-code:

...
<div>
<input name='field1' id='field1' type='text' value='<?php if (isset($_Session['field1']) $_Session['field1']; ?>'> 
<?php if (isset($_Session['validation']['field1']) {
//output a tag containing validation error.
}
?>'
</div>
...

If you use css properly the validation message appears behind the field that did not validate

 

[sourceninja]

Just a public service announcement. You shouldn't use $_REQUEST. Use $_GET or $_POST respectively.

$_REQUEST pulls from GET, POST, and COOKIE and thus can't be trusted your data is coming from the post submit of your form. Also, if this was a real form, you really should validate that input as well to prevent someone from abusing your form.

 

[Ichinisan]

Just a public service announcement. You shouldn't use $_REQUEST. Use $_GET or $_POST respectively.

$_REQUEST pulls from GET, POST, and COOKIE and thus can't be trusted your data is coming from the post submit of your form. Also, if this was a real form, you really should validate that input as well to prevent someone from abusing your form.

The domain / IP is only accessible from the company LAN. Is validation recommended for all fields, or only specific types?

 

[sourceninja]

The domain / IP is only accessible from the company LAN. Is validation recommended for all fields, or only specific types?

Always validate any data that comes from the user. Never trust a user, not even yourself. The largest majority of bugs, exploits, and future problems that I encounter are because people do not use prepared sql queries (or some other method of protection), and because they do not validate input on the server side.

I'd recommend that at a minimum. Personally, I always focus on test driven development. For php I use SimpleTest ( http://www.simpletest.org/ ). In TDD you write your tests, then you write your code to pass your tests. When you find issues, bugs, etc, you write tests that can replicate those issues, then you fix your code to pass those tests. By doing this, if anyone else (or yourself years from now) need to edit the code, then can re-run the unit tests and find any issues they may have created (and in this case have a good idea the code will work).

In addition to that, I'd recommend you pick up some source code management tools. This will let you track your changes over time and should make it easier to see how you or someone else introduced a bug into your code. I'm a big git fan ( http://git-scm.com/ ), but other big players are http://mercurial.selenic.com/ , http://bazaar.canonical.com/en/ , and http://subversion.apache.org/ All 4 have really nice tools for graphical or command line access (if your just getting started and using windows, I recommend you try tortoisegit or tortoisesvn. I'm not going to get into the differences between the 3, but good SCM tools are a must for any professional development (and I really wish they would teach these habits at the start in college along with TDD).