PHP script executes IF statement even no POST has been done

Question

I have two PHP script, and it seems the second script is not handling the $_POST correctly.

a.php

Important part:

echo "<form action='b.php' method='post'>";
echo "<input type='submit' name='add' value='Add new items'>";
echo "</form>";

b.php

Important parts:

$error_variable1="";

if ($_SERVER["REQUEST_METHOD"] == "POST")  {
    if (empty($_POST["something1"])) {
    $error_variable1="not correct";
    }
}

echo '<form action="'.htmlspecialchars($_SERVER["PHP_SELF"]).'" method="post">';
echo '<textarea name="something1" rows="1" cols="10"></textarea>';
echo $error_variable1;

echo '<input type="submit" name="evaluate" value="Checking inputs">';
echo "  </form>";

Unfortunately even at the first start of b.php it displays / gives value to $error_variable1 as "not correct."

But why is it working like this ? The user hasn't pressed the submit button yet. I want to give a "not correct" value for this variable when the "evaluate" submit button pressed.

Edit:

I am suspicious about that probably the POST (submit) from a.php is messing my b.php. What I would like is to display a text form with a submit button. When submit button has pressed ($POST) and the textarea is empty, then I want to show an error message to the user (not correct) and display the form again.

Answer 1

Change the following code segment in your code

if (empty($_POST["something1"])) {}

to the below one.

if (strlen($_POST['something1']) > 0) {}

Answer 2

You can use strlen() to check if variable is set.

This will count the number of digits entered and will return false when textarea is empty as the string length will be 0.

if (!strlen(trim($_POST['something1']))) {
    $error_variable1="not correct";
}

---

Alternatively, check if the submit button is clicked:

if (isset($_POST['evaluate'])) {
    if (empty($_POST["something1"])) {
        $error_variable1="not correct";
    }
}

More information on isset(): http://php.net/manual/en/function.isset.php.

Answer 3

You should definetly choose isset()! While empty() will return true even if its null, isset() will not!

empty() just checks if the given variable got a value. This can be anything! Int, Float, String, Object and also NULL - it does not matter. It will return true.

isset() instead will return true if the variable exists and is not null.

better choose isset() in this content ;)

EDIT:

see here: http://php.net/manual/en/function.empty.php

and here: http://php.net/manual/en/function.isset.php

Answer 4

1) CSRF: people from other websites can choose to submit forms to your form handler, therefore you should add a Cross Site Request Forgery prevention value into a hidden field in your form, that updates every time the form is loaded, typically paired with a $_SESSION value. Read more on this.

Using this unique "key" value you can then simply check at the top of your page if this POSTed key value is the correct value and that will confirm for you that the form has been posted.

so

A.php:

session_start();
$_SESSION['obscure'] = some obscurevalue generated anew every page load.
echo "<form action='b.php' method='post'>";
echo "<input type='submit' name='add' value='Add new items'>";
echo "<input tye='hidden' name='key' value='".$_SESSION['obscure']."'>
echo "</form>";

Then sends to b.php:

session_start();
if($_POST['key'] == $_SESSION['obscure'] && !empty($_POST['key'])){
   //This code will only run if the form has been correctly submitted.
}

The outcome of this is that you can be more sure that your code is run in the order it is intended and you can use the POSTED key value to confirm form submission.

---

As an aside as well it is bad practise to use PHP_SELF for form redirects. Use a static reference or use a properly uneditable value, as PHP_SELF can be abused by the end user.

Answer 5

Change empty($_POST["something1"]) to empty($_POST["something1"]) && $_POST["evaluate"]