Why do I need to use echo in form submission?

[googleankan]

Hi,

 

I wonder why echo is needed in the following lite of code (for a safe form submission)? I have searched for an answer but everyone seems to discuss the htmlspecialchar thing, but noone explains the "echo".

 

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

 

When I use this piece of code it results in a zero printed out on my website...

 

Thanks a lot!

[davej]

The zero comes from something else. What happens if you use...

<form method="post">

[googleankan]

Hi Davej,

 

So incredible silly of me! I have searched the document several times for any other "echo" or "print" without success, so I assumed that the echo above was the reason for the printed zero. But now I realised it was just a simple "0" that slipped in to the code :-S

Thanks for pointing me in the right direction!

 

But, I'm still curious about the "echo" in the form tag. Why is it needed and what does it do?

[Don E]

echo prints out what htmlspecialchars (a function in PHP) returns from when you pass $_SERVER['PHP_SELF'] to it.

 

$_SERVER['PHP_SELF'] contains the current file name. For the action attribute, you may be able to just write into the action the name of the page instead of doing the whole php echo.

[davej]

The form action is the destination of the form submittal, but the default action is the current page if you omit the action attribute, so even though it became traditional to use PHP_SELF it is probably a bad idea, because it is vulnerable to a hacker exploit unless you also use the htmlspecialchars() function, so why do all that when you can simply omit the action?

 

When you have a snippet of code such as...

<?php echo $myname; ?>

...what you are doing is executing a small amount of Php code in order to generate a small part of your HTML. The Php command echo prints the $myname variable.

 

http://www.w3schools.com/php/func_string_echo.asp

 

---last edit 5:56CDT Aug 12---

[googleankan]

Thanks!

I get that echo is for printing, but why is that command used in the action tag? Why do I need to print anything there? I thought that I was only supposed to call a function? From my rather basic knowledge point of view, I would rather have it like this (without the echo):

 

<form method="post" action="<?php htmlspecialchars($_SERVER["PHP_SELF"]);?>">

[Ingolme]

Because the PHP doesn't know what the HTML does. Everything outside the <?php ?> block is completely irrelevant to the code.

 

As far as PHP is concerned, there's no difference between

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

and

ABC<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>XYZ

[justsomeguy]

From my rather basic knowledge point of view, I would rather have it like this (without the echo):<form method="post" action="<?php htmlspecialchars($_SERVER["PHP_SELF"]);?>">

So, try that and see what happens. Put that code on the page, load it in the browser, use the browser to view the HTML source, and look at the form tag to see what PHP did.