tags:

views:

676

answers:

4
+1  Q: 

What to use instead of if(isset($_POST['submit'])) for this.form.submit()?

I want to run a particular block of PHP if the user submits a form. It works if I use a submit button with name="submit" and:

<?php
if(isset($_POST['submit'])) {
code to run
}
?>

I don't know anything about javascript, and I want the code to run if the user changes a dropdown menu. If I make the first line of the dropdown

<select name="dropdownname" onchange="this.form.submit()">

the form appears (I haven't tested it) to submit if the user changes the dropdown choice. However, if I do this, the if(isset($_POST['submit'])) PHP code doesn't run. Is there a PHP if statement I can write that will respond to the form being submitted even though it's being submitted by a change in the dropdown and not a submit button?

+5  A: 

You may want to check directly for: 

if(isset($_POST['dropdownname']))
Daniel Vassallo  2010-03-20 16:02:31
Of course! That makes total sense (and works). Thank you!
paracaudex  2010-03-20 16:05:08
A: 

you should always check $_SERVER['REQUEST_METHOD'] instead of particular field name

Col. Shrapnel  2010-03-20 16:07:49
No, you should always check for the existence of every field you are expecting to receive, or at least those your code *requires*. Just checking the request method tells you nothing about the data you are being passed.
Atli  2010-03-20 16:38:30
@Atli So, nobody asked you about the data you are being passed
Col. Shrapnel  2010-03-20 17:41:15
@Col. Shrapnel - He asked for the code to be executed if the drop-down is changed. If you only check the request method, any POST request would trigger the code, even one from another form. - Verifying the value is present is the only way to guarantee that the `<select>` was actually submitted (which it should always be, in a valid request, given his `onchange` event.)
Atli  2010-03-20 21:50:00
@Atli Well, GET method should be used instead.
Col. Shrapnel  2010-03-20 22:33:45
@Col. Shrapnel - Things don't always go as you assume they should, and assuming they will when developing code like this **is** going to create bugs and security issues. - That is why we verify input data, to **make sure** things are going as they should be going.
Atli  2010-03-20 23:50:24
@Atli You just didn't understand both the question and the answer. **As a replacement** of if(isset($_POST['submit'])) my answer is all right. And don't lecture me on security. A do know it, not copypaste the same text many times without understanding.
Col. Shrapnel  2010-03-21 06:06:32
@Col. Shrapnel - I believe it may be you who did not understand the question. He didn't ask for a replacement for `isset($_POST['field'])`, but a way to detect if a `<select>`'s `onchange` submitted the form. - And regardless of your intent, what your post says is quite clear. You say we should **always** check the request method rather than a particular field, which is just wrong, and irresponsible if you actually know about security, as you claim to.
Atli  2010-03-22 06:53:23
@Atli yes, to detect if we have POST method form posted, we should **always** check the request method, no exceptions. And we have clear question, `"if the user submits a form"`. Not a single word about "security check" of particular field, but detecting whole form submit. Got it now?
Col. Shrapnel  2010-03-22 07:35:38
@Col. Shrapnel - It's not as clear as you make it out to be, mate. If you read further down he says `"I want the code to run if the user changes a dropdown menu"`. Your method does not always accomplish that. -- And even if he did not mention anything about security, in a discussion like this security concerns are always implied. - The simple fact is that even in the narrow scenario your method can be used (if code should be executed on a POST request), the more secure and less error prone method I, and the accepted answer, are promoting works just as well.
Atli  2010-03-22 11:34:32
Also, it should be mentioned that the `$_SERVER` super-global is populated by the web-server, not PHP, so there is no guarantee that the elements in there are even populated at all, or that they are consistent across servers. *(Granted, the most popular HTTP servers do populate it pretty consistently.)*
Atli  2010-03-22 11:39:07
@Atli Please read the last sentence of the question. It is about the form, not field. And my answer covers exactly. Also, there is no security concerns in such a question. And talking of $_SERVER's unreliability in nonsense.
Col. Shrapnel  2010-03-22 12:31:14
@Col. Shrapnel - I *have* read the question, several times. - I never said your solution wouldn't work, in this case. I'm just saying there is a better solution available; one that covers all sides of this topic, not just the one side you are focusing on. - And like I said earlier; in a topic like this, security is **always** a concern, whether or not the OP directly asked about it. -- And, lastly, there is nothing nonsensical about mentioning the reliability of `$_SERVER`. What I said is perfectly true. How you decide to act on that information is up to you.
Atli  2010-03-22 17:42:57
@Atli go tell it not to me but to everyone who uses $_SERVER everyday. You're only one who knows this secret :) And what certain security issue you're talking about?
Col. Shrapnel  2010-03-23 03:47:53
@Col. Shrapnel - Sure, I am always happy to point out ways in which people can improve their code. And this is in no way a secret, and I am not the only one who am aware if it. Not by a long shot. Just take a look at the accepted answer to this question. -- The security issue I am talking about (amongst others) is the frequently overlooked input validation issue. By checking the request method itself, rather than individual fields, you are assuming the fields exists, when in fact they may very well not. - That sort of assumption leaves you open to all sorts of bugs and malicious attacks.
Atli  2010-03-23 17:02:13
@Atli Oh my. you wasted tons of my time with such an irrelevant nonsense.
Col. Shrapnel  2010-03-24 06:10:03
@Col. Shrapnel - It is anything but irrelevant or nonsensical. I'm sorry you won't see that. - But you are right about one thing, this discussion does seem to be a waste of time. - All the best.
Atli  2010-03-24 13:03:32
A: 

And in case if this dropdown used to display some data, not to write to the database, GET method should be used instead.

Col. Shrapnel  2010-03-20 16:30:55
A:  
<?php

if(!empty($_POST))
{
    code to run
}

?>
Daniel McCoy  2010-03-20 17:17:44
That wouldn't make any sense now, would it? Any POST-request would run the code, and that's not what the author wanted.
Jesper Karsrud  2010-03-21 13:35:54

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases