PHP - Hi User script?

R

risendead

New Member
Messages
43
Reaction score
0
Points
0
I'm learning PHP from a book called "PHP/MySQL Programming for the absolute beginner".

In it there's a program where the user types their name and clicks the submit button. This is suppose to create a variable $userName and the php page is suppose to display Hi there, $userName!

When I tried it on my local machine and on these servers it wouldn't work correctly. The html page displayed normally and the php page displayed fine except it wouldn't print the $userName as if it had never recieved it.

Heres the code:

HTML part:

<html>
<head>
<title>What's your name?</title>
</head>
<body>
<h1>What's your name?</h1>
<h3>Writing a form for user input</h3>
<form method = "post" action = "hiUser.php">
Please type your name:
<input type = "text" name = "userName">
<br>
<input type = "submit">
</form>
</body>
</html>

PHP part:

<html>
<head>
<title>Hi User</title>
</head>
<body>
<h1>Hi User</h1>
<h3>PHP program that receives a value from "whatsName"</h3>
<?
print "<h3>Hi there, $userName!</h3>";
?>
</body>
</html>

What's wrong with it? From what I've learned so far the code should work, it seems to make sense. :happysad:
 
Livewire

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
The code is assuming Register_Globals is on, which it will virtually -never- be. Replace that book now because it's relying on a function which no longer exists in PHP6, was defaulted to Off sometime in php5, and is depreciated as of somewhat recently.


To fix:

replace:

<?
print "<h3>Hi there, $userName!</h3>";
?>

with:

<?
$userName=$_POST['userName']; //this gets the value from <input type = "text" name = "userName">
print "<h3>Hi there, $userName!</h3>";
?>



What it boils down to is Register_Globals was automatically making your $userName without you having to go $username=$_POST['userName']. This sounds like a wonderful idea until someone figures out what the variables are that you're using, and does something like pagename.php?admin=1&authenticated=1 - it'll automatically create $admin and $authenticated and set them to 1, which may very well give them administrative access if your script uses those two variables and doesn't do a good job verifying they were set correctly.

If coded properly no script will have that security issue, however the fact remains it's a massive security hole and has been closed for some time :S
 
Last edited:
R

risendead

New Member
Messages
43
Reaction score
0
Points
0
Thanks for the quick reply. Yeah if the book is outdated I definitely don't want to spend time learning things the wrong way. At least I had only made it to the second chapter before wasting to much time. :)

Know of any good sites to learn from?
 
Last edited:
freecrm

freecrm

New Member
Messages
629
Reaction score
0
Points
0
In addition to the comments above, you might like to consider how variables are handled from page to page.

More specifically, $_POST information is only transfered from one page to another - or to itself. In other words, lets say your "user" (which is unauthenticated) enters their name in as suggested, it will only show on the hiUser.php page. As soon as that same user goes to a different page, the form values son't exist anymore, which means that your system no longer recognises the user!

As an alternative to $_POST variables, there are also $_SESSION variables, which stay in server memory until the browser is closed. This is ideal for user login scripts and the like. Your form can stay the same, but in the php page, you would alter it slightly as follows:



PHP: 
$_SESSION['userName'] = $_POST['userName'];



This takes the value from your form and assigns it to the $_SESSION memory.

After that, you can put...

PHP: 
echo $_SESSION['userName'];

In any page you want and it will retreive the value from memory.

This is particulalry useful with page authentication, because you can check the $_SESSION value and allow/deny access based on it.

This is of course a very simplified piece of code but I thought it might help understand the basics.
 
R

risendead

New Member
Messages
43
Reaction score
0
Points
0
Wouldn't it be easier to just go ahead and change the form instead of switching one variable for another later or would this cause problems down the road?

I'm unsure of the newer PHP version but from what I learned so far this:
$_SESSION['userName'] = $_POST['userName'];
Means it gets (=) shouldn't it be it is equal to (==)?

Thanks for all the help guys. I'll check out those links. :)
 
Last edited:
freecrm

freecrm

New Member
Messages
629
Reaction score
0
Points
0
risendead said:
Wouldn't it be easier to just go ahead and change the form instead of switching one variable for another later or would this cause problems down the road?
Click to expand...

You would think!!

However, the information has to be posted before you can do anything with it.

Changing the form will have little effect because the action is "hiUser.php" which means the the data in the fields within this form will carry over to the is page when you click submit.

The other alternative is to blend the php in with the form. In other words, you would have something like

PHP: 
<?php
if isset($_POST['submit']) {//asks if the form has been submitted
$_SESSION['userName'] = $_POST['userName']; // assigns the form data to session
echo "Hello".$_SESSION['userName']; // prints value of userName
} else { //or if the form hasn't been submitted
?>
 
put your form here, but the action would be null (action="") which will post back to the same page.
 
<?php } ?>
 
Two jobs done in one!

risendead said:
I'm unsure of the newer PHP version but from what I learned so far this:
$_SESSION['userName'] = $_POST['userName'];
Means it gets (=) shouldn't it be it is equal to (==)?
Click to expand...

Nope - this confused me to start.

If you are requesting a comparison you use a double equal

PHP: 
<?php
if ($_SESSION['userName'] == "Administrator") { 
echo "Hi Administrator";
} ?>

Similarly, you can use other characters that are doubled

PHP: 
<?php
if ($_SESSION['userName'] == "Administrator" && $_SESSION['userType'] == "A cool Dude") { 
echo "hi cool dude.";
} ?>

but in this case, you are defining a variable, so a single equal is all you need.

PHP: 
$a = 1;
$b = 2;
$c = $a + $b;
echo $c;

For future reference, there are 3 main types of variable

$_POST (from a form)
$_GET (from the URL. Can be used when you are passing a variable in a link)
$_SESSION (duh!...what we've been talking about)
 
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
freecrm said:
For future reference, there are 3 main types of variable

$_POST (from a form)
$_GET (from the URL. Can be used when you are passing a variable in a link)
$_SESSION (duh!...what we've been talking about)
Click to expand...

Other useful predefined variables:
  • $_REQUEST: contains data from $_GET, $_POST and $_COOKIE.
  • $_SERVER: Server information. Includes variables from the CGI spec.
  • $_FILES: Information about files uploaded via an <input type="file"> element.
See the PHP manual for more predefined variables and more information.
 
R

risendead

New Member
Messages
43
Reaction score
0
Points
0
What you said makes since. One (=) gives a variable a value. Two (==) just compares to see if the variables are the same. Thanks for the help guys. Looks like I'll have a better understanding now.

Still have a lot to learn though, since what you can create with web design is near infinite. :)
 
xav0989

xav0989

Community Public Relation
Community Support
Messages
4,467
Reaction score
95
Points
0
And three (===) compares both the value and the variable type.

i.e.
PHP: 
$string = '1'; // string
$int = 1;// number

$string == $int //will evaluate to true since you are only checking the value

$string === $int //will evaluate to false since you are also comparing the variable type
 
You must log in or register to reply here.
Top