PHP - Hi User script?

[risendead]

I'm learning PHP from a book called "PHP/MySQL Programming for the absolute beginner".

In it there's a program where the user types their name and clicks the submit button. This is suppose to create a variable $userName and the php page is suppose to display Hi there, $userName!

When I tried it on my local machine and on these servers it wouldn't work correctly. The html page displayed normally and the php page displayed fine except it wouldn't print the $userName as if it had never recieved it.

Heres the code:

HTML part:

<html>
<head>
<title>What's your name?</title>
</head>
<body>
<h1>What's your name?</h1>
<h3>Writing a form for user input</h3>
<form method = "post" action = "hiUser.php">
Please type your name:
<input type = "text" name = "userName">
<br>
<input type = "submit">
</form>
</body>
</html>

PHP part:

<html>
<head>
<title>Hi User</title>
</head>
<body>
<h1>Hi User</h1>
<h3>PHP program that receives a value from "whatsName"</h3>
<?
print "<h3>Hi there, $userName!</h3>";
?>
</body>
</html>

What's wrong with it? From what I've learned so far the code should work, it seems to make sense. :happysad:

[Livewire]

The code is assuming Register_Globals is on, which it will virtually -never- be. Replace that book now because it's relying on a function which no longer exists in PHP6, was defaulted to Off sometime in php5, and is depreciated as of somewhat recently.


To fix:

replace:

<?
print "<h3>Hi there, $userName!</h3>";
?>

with:

<?
$userName=$_POST['userName']; //this gets the value from <input type = "text" name = "userName">
print "<h3>Hi there, $userName!</h3>";
?>



What it boils down to is Register_Globals was automatically making your $userName without you having to go $username=$_POST['userName']. This sounds like a wonderful idea until someone figures out what the variables are that you're using, and does something like pagename.php?admin=1&authenticated=1 - it'll automatically create $admin and $authenticated and set them to 1, which may very well give them administrative access if your script uses those two variables and doesn't do a good job verifying they were set correctly.

If coded properly no script will have that security issue, however the fact remains it's a massive security hole and has been closed for some time :S

[risendead]

Thanks for the quick reply. Yeah if the book is outdated I definitely don't want to spend time learning things the wrong way. At least I had only made it to the second chapter before wasting to much time.

Know of any good sites to learn from?

[garrettroyce]

I go straight to http://php.net for most of my questions, but http://w3schools.com has very good tutorials on all web programming languages.

[freecrm]

In addition to the comments above, you might like to consider how variables are handled from page to page.

More specifically, $_POST information is only transfered from one page to another - or to itself. In other words, lets say your "user" (which is unauthenticated) enters their name in as suggested, it will only show on the hiUser.php page. As soon as that same user goes to a different page, the form values son't exist anymore, which means that your system no longer recognises the user!

As an alternative to $_POST variables, there are also $_SESSION variables, which stay in server memory until the browser is closed. This is ideal for user login scripts and the like. Your form can stay the same, but in the php page, you would alter it slightly as follows:

PHP Code:

$_SESSION['userName'] = $_POST['userName']; 


This takes the value from your form and assigns it to the $_SESSION memory.

After that, you can put...

PHP Code:

echo $_SESSION['userName']; 


In any page you want and it will retreive the value from memory.

This is particulalry useful with page authentication, because you can check the $_SESSION value and allow/deny access based on it.

This is of course a very simplified piece of code but I thought it might help understand the basics.

[risendead]

Wouldn't it be easier to just go ahead and change the form instead of switching one variable for another later or would this cause problems down the road?

I'm unsure of the newer PHP version but from what I learned so far this:
$_SESSION['userName'] = $_POST['userName'];
Means it gets (=) shouldn't it be it is equal to (==)?

Thanks for all the help guys. I'll check out those links.

[freecrm]

Wouldn't it be easier to just go ahead and change the form instead of switching one variable for another later or would this cause problems down the road?

You would think!!

However, the information has to be posted before you can do anything with it.

Changing the form will have little effect because the action is "hiUser.php" which means the the data in the fields within this form will carry over to the is page when you click submit.

The other alternative is to blend the php in with the form. In other words, you would have something like

PHP Code:

<?php
if isset($_POST['submit']) {//asks if the form has been submitted
$_SESSION['userName'] = $_POST['userName']; // assigns the form data to session
echo "Hello".$_SESSION['userName']; // prints value of userName
} else { //or if the form hasn't been submitted
?>
 
put your form here, but the action would be null (action="") which will post back to the same page.
 
<?php } ?>
 
Two jobs done in one!

I'm unsure of the newer PHP version but from what I learned so far this:
$_SESSION['userName'] = $_POST['userName'];
Means it gets (=) shouldn't it be it is equal to (==)?

Nope - this confused me to start.

If you are requesting a comparison you use a double equal

PHP Code:

<?php
if ($_SESSION['userName'] == "Administrator") { 
echo "Hi Administrator";
} ?>

Similarly, you can use other characters that are doubled

PHP Code:

<?php
if ($_SESSION['userName'] == "Administrator" && $_SESSION['userType'] == "A cool Dude") { 
echo "hi cool dude.";
} ?>

but in this case, you are defining a variable, so a single equal is all you need.

PHP Code:

$a = 1;
$b = 2;
$c = $a + $b;
echo $c; 


For future reference, there are 3 main types of variable

$_POST (from a form)
$_GET (from the URL. Can be used when you are passing a variable in a link)
$_SESSION (duh!...what we've been talking about)

[misson]

For future reference, there are 3 main types of variable

$_POST (from a form)
$_GET (from the URL. Can be used when you are passing a variable in a link)
$_SESSION (duh!...what we've been talking about)

Other useful predefined variables:

• $_REQUEST: contains data from $_GET, $_POST and $_COOKIE.
• $_SERVER: Server information. Includes variables from the CGI spec.
• $_FILES: Information about files uploaded via an <input type="file"> element.

See the PHP manual for more predefined variables and more information.

[risendead]

What you said makes since. One (=) gives a variable a value. Two (==) just compares to see if the variables are the same. Thanks for the help guys. Looks like I'll have a better understanding now.

Still have a lot to learn though, since what you can create with web design is near infinite.

[xav0989]

And three (===) compares both the value and the variable type.

i.e.

PHP Code:

$string = '1'; // string
$int = 1;// number

$string == $int //will evaluate to true since you are only checking the value

$string === $int //will evaluate to false since you are also comparing the variable type