Jump to content

Why do I need to use echo in form submission?


googleankan
 Share

Recommended Posts

Hi,

 

I wonder why echo is needed in the following lite of code (for a safe form submission)? I have searched for an answer but everyone seems to discuss the htmlspecialchar thing, but noone explains the "echo".

 

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

 

When I use this piece of code it results in a zero printed out on my website...

 

Thanks a lot!

Link to comment
Share on other sites

Hi Davej,

 

So incredible silly of me! I have searched the document several times for any other "echo" or "print" without success, so I assumed that the echo above was the reason for the printed zero. But now I realised it was just a simple "0" that slipped in to the code :-S

Thanks for pointing me in the right direction!

 

But, I'm still curious about the "echo" in the form tag. Why is it needed and what does it do?

Link to comment
Share on other sites

echo prints out what htmlspecialchars (a function in PHP) returns from when you pass $_SERVER['PHP_SELF'] to it.

 

$_SERVER['PHP_SELF'] contains the current file name. For the action attribute, you may be able to just write into the action the name of the page instead of doing the whole php echo.

Link to comment
Share on other sites

The form action is the destination of the form submittal, but the default action is the current page if you omit the action attribute, so even though it became traditional to use PHP_SELF it is probably a bad idea, because it is vulnerable to a hacker exploit unless you also use the htmlspecialchars() function, so why do all that when you can simply omit the action?

 

When you have a snippet of code such as...

<?php echo $myname; ?>

...what you are doing is executing a small amount of Php code in order to generate a small part of your HTML. The Php command echo prints the $myname variable.

 

http://www.w3schools.com/php/func_string_echo.asp

 

---last edit 5:56CDT Aug 12---

Link to comment
Share on other sites

Thanks!

I get that echo is for printing, but why is that command used in the action tag? Why do I need to print anything there? I thought that I was only supposed to call a function? From my rather basic knowledge point of view, I would rather have it like this (without the echo):

 

<form method="post" action="<?php htmlspecialchars($_SERVER["PHP_SELF"]);?>">

Link to comment
Share on other sites

Because the PHP doesn't know what the HTML does. Everything outside the <?php ?> block is completely irrelevant to the code.

 

As far as PHP is concerned, there's no difference between

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

and

ABC<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>XYZ
Link to comment
Share on other sites

From my rather basic knowledge point of view, I would rather have it like this (without the echo):<form method="post" action="<?php htmlspecialchars($_SERVER["PHP_SELF"]);?>">

So, try that and see what happens. Put that code on the page, load it in the browser, use the browser to view the HTML source, and look at the form tag to see what PHP did.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...