Initialising setup for form page

Scenario: HTML page with simple form (action = “post”). At top of page is PHP section that initialises the variables and processes the $_POST.

The initialisation, which consists of setting up blank variables, and retreiving data from database and assigning to variables if found, is contained in if (! isset($loop) ) {…} structure and within that structure the $loop variable is defined, so that the structure is ignored in future step throughs of the PHP code (e.g. when the submit button is pressed)

It appears to work ok, except everytime the submuit button is pressed the construct is enterred.(see call to alert in construct that displays everytime SUBMIT is pressed)

The $_POST does some validation and displays error messages and returns focus to form if problems, otherwise saves data to database, and closes page. This bit appears to work ok.

Having come from other (desktop) programming languages I am struggling to see why the $looped is being ignored.

<?php
include 'inc/accsessconn.php';

if (!isset($looped)) {
// define variables and set to empty values
    $type = $username = $password = $userlevel = "";
    $inpname = $inplevel = $inppass1 = $inppass2 = "";
    $looped = "In setup";
    echo "<script>alert('$looped');</script>";

    if (isset($_GET["edit_id"])) {
        $edit_id = $_GET["edit_id"];
        if ($edit_id > 0) {
            $acc_query = $conn->query("SELECT * FROM `admin` WHERE `admin_id` = '$edit_id'") or die(mysqli_error());
            $acc_fetch = $acc_query->fetch_array();
            $username = $acc_fetch['username'];
            $userlevel = $acc_fetch['level'];
            $type = "Amend User: " . $username;
            $inpname = $username;
            $inplevel = $userlevel;
        } else {
            $type = "Add New User";
            $userlevel = "0";
        }
    }
}

if ($_SERVER["REQUEST_METHOD"] == "POST") {
//...............
}


function tidy_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

Web servers are stateless. They don’t know anything about any previous request. They only receive the inputs that come with or are created for the current request. Any regular program variable, like $looped, is destroyed when your script ends on any request and doesn’t exist until the code explicitly creates it again on the next request.

To retain ‘state’ in this stateless process, you would need to pass the value from one request to the next, either through a $_POST, $_GET, $_COOKIE, or $_SESSION variable. If a user should not have the ability to accidentally or deliberately (i.e. a hacker) alter the value, you should use a $_SESSION variable.

Next, this code pattern either directly or indirectly came from w3schools. It is filled with unnecessary statements that don’t add any value, a ton of copying variables to other variables with no purpose, it is altering input data, and it is insecure. Code should be secure, in all contexts, provide a good user experience, be simple, general-purpose, reusable, and contain enough validate/error handling logic so that it will either work or it will tell you (display/log) why it doesn’t work.

1 Like

In looking at what process you are (most likely) trying to accomplish, editing existing data or inserting new data, without fetching the existing data again if the form has already been summitted, you can accomplish this by putting the post method form processing code above the code that’s responsible for retrieving the existing data, copying the $_POST data into a common, trimmed, array variable, then testing if this common array variable is empty before executing the code that gets the existing data. You would also fetch the existing data into this common array variable, then use this common array variable throughout the rest of the code, e.g. for the form field values.

1 Like

Many thanks for your replies - hadn’t thought about the points you raised - comes from too many years using PASCAL.

Have followed your comments about positioning of the POST block, and using SESSION variables, and it now seems to work ok.

Something to remember for the future!

Sponsor our Newsletter | Privacy Policy | Terms of Service