Welcome to WebmasterWorld Guest from 34.236.170.48

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Having a form post to itself

Is this a good idea?

     
5:31 pm on Nov 17, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 26, 2004
posts:155
votes: 0


I've seen mention, e.g. by jatar_k in message 10 here [webmasterworld.com], that it's not recommended to have a form post to itself.

Why is this a bad idea? Are there security issues involved?

6:42 pm on Nov 17, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 30, 2005
posts:515
votes: 0


I don't think it's a good idea, either.
From my experience, it has the potential to mess up your navigation buttons, and often, after a form posts to itself, pressing the "back" then "forward" buttons will give a "page cannot be displayed" message.
Plus, having a separate "process" form for posts help to keeps the procesing logically separated from the display side.
8:49 pm on Nov 17, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 7, 2003
posts:1408
votes: 0


I can't see where there would be any extra security issues, beyond what you would consider normal.

One of my pages contains 4 different forms. The reason is because I don't want my users getting redirected to another page during this process. Is this problematic having so many forms on a single page. You betcha!

The logic has to be right. I have to determine which form was submitted. Did I pass the right values? Are there additional values being passed? How does my script know where to start processing? Some of this is simply extra overhead.

I might have coded those 4 forms into individual pages, and saved myself some significant development time. So, I'm only speculating as to why such a thing might not be recommended, and it comes down to increased complexity and development time.

9:34 pm on Nov 17, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 13, 2003
posts:775
votes: 0


One possibilty is if you're using something like this for your forms

<form action="<?php echo $_SERVER['PHP_SELF'];?>">

It's a no no to trust server variables like this. See [blog.phpdoc.info...] for further info.

Tim

9:57 pm on Nov 17, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:June 20, 2003
posts:558
votes: 0


Hmm..

I almost ALWAYS do:

<form action="">

And I don't have issues with it. I just checked the back button and no worries there - I guess it just depends on your form setup and your server config. I know that different caching methods change the back button behavior in IE for forms that are POST'ed.

b

10:02 pm on Nov 17, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 30, 2005
posts:515
votes: 0


Yeah - I think it's an IE specific bug, that "may" be fixed by changing some weird cache-control header.
I tried it, but couldn't get it to work satisfactorily, and now I just always POST to a processing form out of habit, I guess.
10:54 pm on Nov 17, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 21, 2002
posts:1051
votes: 0


I use a form which posts to the same page in order to generate printer friendly pages. If the user clicks the "print format" button a hidden variable is posted which is detected server side and serves the same page with a different stylesheet.

I've never had any problems, and back and forward work fine for me. But now you've got me worried what other people experience. :(

11:49 pm on Nov 17, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 30, 2005
posts:515
votes: 0

10:07 am on Nov 18, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 26, 2004
posts:155
votes: 0


Thanks guys.

FalseDawn, I hadn't considered the issue of the back and forward buttons -- need to look further into that.

Timotheos, thanks for the heads up on $_SERVER['PHP_SELF'] -- that's simply amazing! I'd heard that some of the $_SERVER fields should be considered tainted, but didn't realise that extended to PHP_SELF.

bsterz, I found this post [webmasterworld.com] which indicated that Safari and Konqueror had a problem with action="". I don't whether it's still a problem.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members