Smart Froms

[lh3vs3]

here is request_confirm.php

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--
Design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License

Name       : Free Port
Description: A two-column, fixed-width design for 1024x768 screen resolutions.
Version    : 1.0
Released   : 20090122

-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>League de Hockey 3vs3</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="style.css" rel="stylesheet" type="text/css" media="screen" />
</head>
<body>
<?php
include("header.php");
?>
<div id="page">
	<div id="content">
		<div class="post">

			<h2 class='title'>Cr&eacute;er une &eacute;quipe</h2>
			<p class='date'><?php echo date("Y.m.d"); ?></p>
			<p class='meta'><em>Posted by Aravinthan </p>
			<div class='entry'>
<?php
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$teamname = $_POST['teamname'];
$receiver = $_POST['receiver'];
$link = mysql_connect ("localhost", "lh3vs3_ara", "1992arayugi")
or die("mysql_error()");
mysql_select_db ("lh3vs3_league", $link);
/*check if fname is entered */
  if(!$fname|| strlen($fname = trim($fname)) == 0){
  echo "Veuillez entrez votre pr&eacute;nom";
   ++$error ;
 }
 /*check if lname is entered */
   if(!$lname|| strlen($lname = trim($lname)) == 0){
   echo "Veuillez entrez votre nom de famille";
    ++$error ;
 }
/* check if player in a team*/
$checkteam = "SELECT teamname FROM players WHERE fname= '$fname' AND lname = '$lname'";
$retreive_team = mysql_fetch_array($checkteam);
if(mysql_num_rows($checkteam)) {
  echo "Vous avez d&eacute;ja choisi votre nom d'&eacute;quipe:" .$retreive_team['teamname']. "";
}
else {
$avai_team = mysql_query("SELECT * FROM `available_teams` ORDER BY teamname DESC",$link);
while($teams = mysql_fetch_array($avai_team))
{
echo "<form method='post'>
<select name='teamname'>";
echo "<option value='" .$team['teamname']. "'>" .$team['teamname']. "</option>";
echo "</select>";
echo " <input type='submit' value='Confirmer'/>";
}
}
if($error>0){
echo "Veuillez retourner &agrave; la page de demande et r&eacute;essaye";
}
else{
/* enter values into team_maker table */
$result = mysql_query("SELECT * FROM `players` WHERE fname='$fname' AND  lname='$lname'",$link);
$retreive = mysql_fetch_array($result);
$asker = "" .$retreive['playerid']. "";
mysql_query("INSERT INTO team_maker (asker, receiver, teamname, date)
VALUES ('$asker', '$receiver','$teamname', NOW())");
/* delete teamname from availabe_teams table */
mysql_query("DELETE FROM `available_teams` WHERE teamname='$teamname'")
or die(mysql_error());
/* get email adress */
$result1 = mysql_query("SELECT * FROM `players` WHERE playerid='$receiver'",$link);
$retreive1 = mysql_fetch_array($result1);
$email = "" .$retreive1['email']. "";
/* send email */
$to = "$email";
$subject = "Demande de joindre une &eacute;quipe";
$body = "$fname,$lname veut que vous jouez ensemble pour l'&eacute;quipe $teamname. Veuillez utiliser ce lien pour donner votre r&eacute;ponse: <a href='http://lh3vs3.x10hosting.com/view_request.php?asker=$asker&receiver=$receiver'>http://lh3vs3.x10hosting.com/team_maker.php?asker=$asker&receiver=$receiver</a>";
if (mail($to, $subject, $body)) {
  echo("<p>Votre demande a &eacute;t&eacute; confirmer, vous receverez un courriel d&egrave;s que le joueur a r&eacute;pondu.</p>");
 } else {
  echo("<p>Il y a une probl&egrave;me pr&eacute;sentement. Veuillez re-&eacute;ssayer plus tard.</p>");
 }
 }
?>
<p class='links'></p></div>


		</div>
	</div>
	<!-- end #content -->
<?php include("sidebar.php"); ?>
	<!-- end #sidebar -->
	<div style="clear: both;">&nbsp;</div>
</div>
<!-- end #page -->
<?php
include("copyright.php");
?>

<!-- end #footer -->
</div>
</body>
</html>

I think its here:

Code:

echo "<form method='post'>
<select name='teamname'>";
echo "<option value='" .$team['teamname']. "'>" .$team['teamname']. "</option>";
echo "</select>";
echo " <input type='submit' value='Confirmer'/>";
}
}

As I am resending hte Post, the older Post values gets erased,
could that be the problem?

[misson]

The problem is that, I get to the part where it asks to choose a teamnmae, but when I choose it, it says:
pleaser enter lname,fname....

As I am resending hte Post, the older Post values gets erased,
could that be the problem?

Yes, that's it exactly. Adding hidden inputs to the form that picks the team name will fix this bug. Note also that if you use GET rather than POST as the form submission method for request.php (and use $_REQUEST rather than $_POST), the old values carry over because the URL will be preserved.

There are other things that need attention:

• On line 26 of request.php:
  

  Code:

  <?php $playerid = $GET_['playerid']; ?>

  That should be $_GET, not $GET_. Better still, use $_REQUEST.
  
• Generating a form for each team name in request_confirm.php just produces clutter:
  

  Code:

  while($teams = mysql_fetch_array($avai_team))
  {
  echo "<form method='post'>
  <select name='teamname'>";
  echo "<option value='" .$team['teamname']. "'>" .$team['teamname']. "</option>";
  echo "</select>";
  echo " <input type='submit' value='Confirmer'/>";
  }
  }

  You probably want something like:
  Code:

  <form method='post'>
  <?php
    foreach ($_REQUEST as $key => $val) {
      if ($key != 'teamname')
        echo '  <input type="hidden" name="',$key,'" value="',$val,'" />';
    }
  ?>
    <select name='teamname'>
  <?php  while($teams = mysql_fetch_array($avai_team)) {
    echo "    <option value='" .$team['teamname']. "'>" .$team['teamname']. "</option>";
  } ?>
    </select>
    <input type='submit' value='Confirmer'/>
  </form>

• The code to access the DB is scattered across many pages. Much better to design a data access layer (DAL) API so that the other pages can be database agnostic, then collect all that DB access code in a single file. If you're not certain what that means, I'm basically saying write functions/objects to interface w/ the database (the data access layer) so the rest of the scripts don't even have to know a database is involved (database agnostic), they just call functions. If x10hosting supported PDO, you wouldn't have to design your own DB access layer. You might also be able to install PDO for PHP4.
  
• THIS IS A BIG ONE: you need to validate and filter user input (the form variables) to prevent SQL injection. Using POST rather than GET is not secure; it's still trivial to submit arbitrary values. The two natural places to perform validation/filtering are when you first get the user input (i.e. whenever you reference $_REQUEST, $_GET and $_POST) and in the DAL. The latter is safer because you won't forget to validate; the only trick is the DAL can't know what types the form variables are and so needs to be told. You could also validate/filter at both levels, validating at the script level and perform basic filtering in the DAL. Wherever you validate/filter, you can use the filter functions.
  
• In request_confirm.php, you never test whether $teamname is set, so the page always calls team_maker and sends an e-mail. You could fix this by adding a test on $teamname, but I recommend separating the form that picks the team from the script that does the final processing; it'll be much cleaner.
  
• If you separate the team selection from the final form processing, look for a way to move the code that selects the team to the 1st form. Entering both person name & team name seems redundant. What's the asker's relationship to the teams? You should design web forms so that users have to take as few steps as possible.

[lh3vs3]

OK thanks alot mission.
There is some things that I dont, well one basically, its the DAL.
I know that I have the give connection using one file, thats waht I started doing, but for some reason x10 bugged at the beginning.
And I will think of redisigning the form. I think you are right, I will come back to you with it.