Hello and welcome to our community! Is this your first visit?
Register
View RSS Feed

tangoforce

The IE if (isset($_POST['submit'])) bug explained.

Rate this Entry
by , 07-06-2014 at 01:41 PM (455 Views)
For a while I had a clear warning in my signature about not using this technique, not everyone understood the problem and I used to get quite a few PMs about it. Today I am going to explain this issue to you in further detail so that you can understand and try this out for yourself and fix your code.

Lets start with a basic script:
PHP Code:
<html>
   <head>
      <title>The if(isset($_POST['submit'])) bug demo.</title>
   </head>
   
   <body>
   
<?php
if (isset($_POST['submit']))
   {
   print 
'Your data was processed!<br><br>This is your $_POST submission:<br>';
   
print_r($_POST);
   }
else
   {
   print 
'No data processed.<br><br>This is your $_POST submission:<br>';
   
print_r($_POST);
   }
?>
      <br><br>
      <form action="<? print $_SERVER['PHP_SELF']; ?>" method="post">
         Put the cursor in this box and press the enter key:<br>
         <input type="text" name="sample" value="Some sample text.">
         <input type="submit" name="submit" value="Then the next time, click this">
      </form>
   </body>
</html>
Now put that on your server and test it in a variety of browsers starting with Internet explorer. To test it, put the cursor in the text box and press the enter / return key on the keyboard. Most browsers are fine with this but if your version of IE is affected you'll see that the text field is submitted but not the button submit field. This means that any code that should of run in your script that relies on the submit button WILL NOT RUN.

Why?
Because Internet Explorer only sends the button if you click it with the mouse. If you have the text cursor in a text box and click the enter / return key on your keyboard IE does not send the value of the submit button. This is because you can use multiple submit buttons in one form (EG Edit and Delete on a blog / forum post) and so MS in their wisdom seem to have decided that only sending a clicked button is the wise thing. There is some wisdom in this but only for forms with multiple submit buttons. For forms with just one submit its a bit pointless.

I've heard that on IE9 this is no longer a problem but I've tested this on IE5.5, IE6, IE7 and IE8 and it is the same on all of them. IF you do not experience the same symptoms and do not believe it, then please watch this video:


Once you've watched that, I hope you will understand how this could affect your logic flow in your code. This issue could loose you orders, new members, contact form submissions etc. By using the simple techniques I've demonstrated below, you will no longer have this issue and it will work regardless of what browser your visitor uses.

Now, lets modify that script:
PHP Code:
<html>
   <head>
      <title>The if(isset($_POST['submit'])) bug demo.</title>
   </head>
   
   <body>
   
<?php
if (isset($_POST['sample']))
   {
   print 
'Your data was processed!<br><br>This is your $_POST submission:<br>';
   
print_r($_POST);
   }
else
   {
   print 
'No data processed.<br><br>This is your $_POST submission:<br>';
   
print_r($_POST);
   }
?>
      <br><br>
      <form action="<? print $_SERVER['PHP_SELF']; ?>" method="post">
         Put the cursor in this box and press the enter key:<br>
         <input type="text" name="sample" value="Some sample text.">
         <input type="submit" name="submit" value="Then the next time, click this">
      </form>
   </body>
</html>
You can see now that the text field is processed regardless of whether the user clicked the enter key or the button was pressed.

There is a further way to handle this - use a hidden form field:
PHP Code:
<html>
   <head>
      <title>The if(isset($_POST['submit'])) bug demo.</title>
   </head>
   
   <body>
   
<?php
if (isset($_POST['secret']))
   {
   print 
'Your data was processed!<br><br>This is your $_POST submission:<br>';
   
print_r($_POST);
   }
else
   {
   print 
'No data processed.<br><br>This is your $_POST submission:<br>';
   
print_r($_POST);
   }
?>
      <br><br>
      <form action="<? print $_SERVER['PHP_SELF']; ?>" method="post">
         Put the cursor in this box and press the enter key:<br>
         <input type="hidden" name="secret" value="Something">
         <input type="text" name="sample" value="Some sample text.">
         <input type="submit" name="submit" value="Then the next time, click this">
      </form>
   </body>
</html>
The reason these 2 modified scripts work is because when you submit the form the other fields are POSTed to the server. The modified script is not checking for the submit button but the text field or the hidden field - which of course it finds.

Updated 07-07-2014 at 05:45 PM by tangoforce

Tags: None Add / Edit Tags
Categories
PHP Tips

Comments