Odd Javascript behaviour in my PHP file.

[prateems32]

For some reason when I use this script in a HTML file (aptly named "test.html"):

<form action="test.php" name="testForm" id="testForm" method="post">
Blarg!!
<script type="text/javascript" language="javascript">
function formSubmit() {
   document.forms["testForm"].submit();
}
setTimeout('formSubmit()', 120000);
</script>
</form>

It works. However, when I move it from testing to actually putting it to use in a PHP file like so (this would be in, for example, form.php, but in the url it'd be of the form: form.php?confirmed=yes&var=meh&var2=bleh)...

<?php

// Create the <form> HTML tag and have it set to submit to the very same file under the same variable conditions
// There is a function ready to process form data once the submit button has been pressed/the form has been auto-submitted
// via use of the $_POST['form_element'] variables.
echo "<form action=\"form.php?confirmed=yes&var=" . $_GET['var'] . "&var2=" . $_GET['var2'] . "\" method=\"post\" name=\"testForm\" id=\"testForm\">\n\n";

/* ... */ # <-- Whole bunch of PHP code creating form elements

// Create the <script></script> tags that will auto-submit the form after two minutes.
echo "<script type=\"text/javascript\" language=\"javascript\">\nfunction formSubmit() {\n   document.forms[\"testForm\"].submit();\n}\nsetTimeout('formSubmit()', 120000);\n</script>\n\n<input type=\"submit\" name=\"submit\" value=\"Submit Form\" />\n\n</form>";

?>

 .

It does not. The echo statement related to the <script></script> tags output the exact same code as is put in the test.html file... but it won't auto-submit... It just sits there and waits for you to click on the "Submit" button yourself. Any thoughts on this, guys?

 

[misson]

Check your error console. The two don't have the exact same code. In the second case, you've got a submit button named "submit", so it replaces the form's submit method. Remove the name attribute from the submit button.

Instead of echoing all the HTML, echo just the values. It can be much more readable.

<form action="form.php?confirmed=yes&var=<?php echo $_GET['var']; ?>&var2=<?php echo $_GET['var2']; ?>" method="POST" name="testForm" id="testForm">
    <!-- Whole bunch of PHP code creating form elements -->
    <script type="text/javascript">
      setTimeout(function() {document.forms.testForm.submit();}, 120000);
    </script>
    <input type="submit" value=\"Submit Form\" />
</form>

The "language" attribute on script elements is unnecessary and not valid HTML.

setTimeout can take a function name or an anonymous function, which is cleaner than passing a string to evaluate.

 

[adeshavinash96]

setTimeout can take a function name or an anonymous function, which is cleaner than passing a string to evaluate.

it doesn't work if you pass a function name, because the return the value of the function will be used instead of the function name

your code will be executed but it wont wait for the given time.

so prateems32's code is correct

and its a bad idea to use the $_GET variables directly, you need to cleanse those variables first

 

[prateems32]

I've tried using setTimeout like that before, but it doesn't work. I had to go through quite a few attempts of using setTimeout before I got it. What I found was interesting:

<script type="text/javascript">
function blarg() {
   document.forms["form"].submit();
}
setTimeout(blarg(),1000);
</script>

Does not work. It only works if you encase the function as so: 'blarg()' -- It took me 40 minutes to figure that out. 40 minutes of trying out different iterations of the same goal in the setTimeout function.

As for just echoing the variables, you're right -- it would indeed be much cleaner. But the code example I provided here is only a snippet, and in my script it isn't (currently) possible for me to just do that, as the PHP is in an if() function that is nested within more if() functions.

Thanks for the help though! I can't believe it was as simple as renaming the submit button (just tested -- it works). This is like discovering the encasing of the function all over again Haha

Cheers, guys. Thanks again! :biggrin:

 

[misson]

it doesn't work if you pass a function name, because the return the value of the function will be used instead of the function name

It definitely does work. What doesn't work is calling the function rather than passing the function.

<script type="text/javascript">
function blarg() {
   document.forms["form"].submit();
}
setTimeout(blarg(),1000);
</script>

That isn't passing the function name, that's calling the function. Passing the function would be:

<script type="text/javascript">
function blarg() {
   document.forms["form"].submit();
}
setTimeout(blarg,1000);
</script>

Note the absence of parentheses after blarg.

As for just echoing the variables, you're right -- it would indeed be much cleaner. But the code example I provided here is only a snippet, and in my script it isn't (currently) possible for me to just do that, as the PHP is in an if() function that is nested within more if() functions.

That's not a problem. Switch in and out of PHP using <?php and ?> tags. As much as possible, make PHP look like XML elements.

<?php

function ...(...) {
    if (..): ?>
      <form ...>
        <?php if (..): ?>
          <fieldset ...>
              ...
          </fieldset>
        <?php endif; ?>
        <?php foreach (...): ?>
          <div>
              <input ... />
              ....
          </div>
        <?php endforeach; ?>
        ...
      </form>
    <?php endif; 
}

Of course, it may not help readability depending on how intertwined the PHP and HTML are, but if they are that intertwined, the code should be rewritten to separate logic from output using (e.g.) the builder pattern: construct a tree of objects which will later be used to output the HTML. The DOM extension is good for this.

and its a bad idea to use the $_GET variables directly, you need to cleanse those variables first

A very good point, important for preventing cross-site scripting (XSS).

 

[prateems32]

Hmm, I don't follow what is meant by cleansing the $_GET['var'] variables :S

 

[misson]

Read up on XSS, starting with the link at the bottom of my last post.

As for how to sanitize user input, the simplest would be to urlencode the variables to prevent HTML injection into the form page.

<form action="form.php?confirmed=yes&var=<?php echo urlencode($_GET['var']); ?>&var2=<?php echo urlencode($_GET['var2']); ?>" method="POST" name="testForm" id="testForm">

However, this still allows arbitrary values to be passed into the form handler URL, which might leave the form handler (or other scripts further down the pipeline) open to XSS. A safer approach would be to filter the input through a whitelist. It depends on the nature of the data in var & var2.

 

[callumacrae]

<?php

function ...(...) {
    if (..): ?>
      <form ...>
        <?php if (..); ?>
          <fieldset ...>
              ...
          </fieldset>
        <?php endif; ?>
        <?php foreach (...): ?>
          <div>
              <input ... />
              ....
          </div>
        <?php endforeach; ?>
        ...
      </form>
    <?php endif; 
}

<?php if (..); ?>

Should be:

<?php if (..): ?>

I'm guessing it was just a typo

~Callum

 

[misson]

Indeed; my left pinky was faster than my right. Fixed.