How do I make a PHP form that submits to self?

N

6

59

How do I make a self-posting/self-submitting form, i.e. a form that submits the results to itself, instead of submitting to another form?

Nabors answered 29/4, 2011 at 1:3 Comment(2)

You can also just leave the action off, and it defaults to the current page. – Izmir 29/4, 2011 at 1:6

@Izmir There is an old bug that probably isn't too relevant today with WebKit. See my answer. – Hein 29/4, 2011 at 1:13

K

90

The proper way would be to use $_SERVER["PHP_SELF"] (in conjunction with htmlspecialchars to avoid possible exploits). You can also just skip the action= part empty, which is not W3C valid, but currently works in most (all?) browsers - the default is to submit to self if it's empty.

Here is an example form that takes a name and email, and then displays the values you have entered upon submit:

<?php if (!empty($_POST)): ?>
    Welcome, <?php echo htmlspecialchars($_POST["name"]); ?>!<br>
    Your email is <?php echo htmlspecialchars($_POST["email"]); ?>.<br>
<?php else: ?>
    <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
        Name: <input type="text" name="name"><br>
        Email: <input type="text" name="email"><br>
        <input type="submit">
    </form>
<?php endif; ?>

Known answered 29/4, 2011 at 1:21 Comment(5)

Leaving action value empty is not W3C Valid. Just to notice. However it works well. – Kush 17/9, 2013 at 21:51

How do you do it so that it only runs

Welcome, <?php echo htmlspecialchars($_POST["name"]); ?>!<br>     Your email is <?php echo htmlspecialchars($_POST["email"]); ?>.<br>

and doesn't echo it like that? – Formulary 18/1, 2015 at 12:36

Then what should we use here? – Vachell 11/3, 2018 at 4:18

Just a warning here that PHP_SELF doesn't always work - I've just found this out as I had a form which was working with Joomla - when I turned on URL re-writing this PHP_SELF broke the form as according to Joomla PHP_SELF is "/index.php" (the site homepage) not "/contact-us". I guess that's because index.php is calling it and I suppose there is some variable somewhere that includes the entire re-wrote URL? – Eloquent 19/8, 2019 at 6:42

Just found out that $_SERVER('REQUEST_URI') works much better and actually gets the url even if it's been rewrote. – Eloquent 19/8, 2019 at 6:59

S

11

I guess , you means $_SERVER['PHP_SELF']. And if so , you really shouldn't use it without sanitizing it first. This leaves you open to XSS attacks.

The if(isset($_POST['submit'])) condition should be above all the HTML output, and should contain a header() function with a redirect to current page again (only now , with some nice notice that "emails has been sent" .. or something ). For that you will have to use $_SESSION or $_COOKIE.

And please. Stop using $_REQUEST. It too poses a security threat.

Spermato answered 29/4, 2011 at 1:8 Comment(0)

H

6

That will only work if register_globals is on, and it should never be on (unless of course you are defining that variable somewhere else).

Try setting the form's action attribute to ?...

<form method="post" action="?">
   ...
</form>

You can also set it to be blank (""), but older WebKit versions had a bug.

Hein answered 29/4, 2011 at 1:5 Comment(1)

@Damian I don't like to abuse the fragment identifier. – Hein 29/4, 2011 at 1:10

H

4

Try this

<form method="post" id="reg" name="reg" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"

Works well :)

Homemaker answered 27/3, 2015 at 11:40 Comment(0)

S

3

Your submit button doesn't have a name. Add name="submit" to your submit button.

If you view source on the form in the browser, you'll see how it submits to self - the form's action attribute will contain the name of the current script - therefore when the form submits, it submits to itself. Edit for vanity sake!

Schematize answered 29/4, 2011 at 1:5 Comment(3)

Adding names to submit buttons is actually discouraged because they aren't submitted to the server in the first place and accessing forms by name in JavaScript is also deprecated. – Inaccessible 29/4, 2011 at 1:7

@minitech I thought the name attribute was submitted to the server? – Hein 29/4, 2011 at 1:10

Don't down vote when you don't have the right response. Buttons most certainly are submitted in post back. Go test it! – Schematize 29/4, 2011 at 1:13

O

3

change
<input type="submit" value="Submit" />
to
<input type="submit" value="Submit" name='submit'/>
change
<form method="post" action="<?php echo $PHP_SELF;?>">
to
<form method="post" action="">
It will perform the code in if only when it is submitted.
It will always show the form (html code).
what exactly is your question?

Oil answered 29/4, 2011 at 1:6 Comment(4)

Adding names to submit buttons is actually discouraged because they aren't submitted to the server in the first place and accessing forms by name in JavaScript is also deprecated. – Inaccessible 29/4, 2011 at 1:8

@minitech ? I actually see the submitted values of the input type=submit. What do you do so it is deprecated on your system? – Oil 29/4, 2011 at 1:10

@minitech Where does it say accessing forms by name is deprecated? Do you mean the old forms.one.submit? – Hein 29/4, 2011 at 1:11

Yes, that's what I meant. @Itay Moav I missed the PHP code in post 1, can you edit your post so I can vote you back up again? – Inaccessible 29/4, 2011 at 1:19

Recommended topics

Hot tags