Ok, This code should look familiar to some of you:

<?php
$query = "SELECT Company FROM Customer WHERE Sales_Rep = '$salesrep';";
$result = mysql_query($query) or die("SQL Error: " . $query . "<br/>" . mysql_error());

while ($row = mysql_fetch_assoc($result)) {
foreach ($row as $key => $val) {
$msg .= "<option value='".$val."' >".$val."</option>";
}
}
?>

I was having a problem with getting php to make a form with a select box in it. I got it to work, and I can load a list from MySQL and make a selection box out of it. The wierd thing is that when I make a selection from the list and submit it through my form:

<form enctype='application/x-www-form-urlencoded' method='post' target='<?php echo $_SERVER['PHP_SELF']; ?>'>
<select name='clients' id='clients'>
<option selected="selected" value="">-Select One-</option>
<?php
print $msg;
?>
</select><br />
<input type="submit" value="Search" name="search" id="search" />
<input type="submit" value="Update" name="update" id="update2" />
</form>


It always opens in a new window. I do not have any code anywhere on that page or any other page that tells the browser to open a new window. It will only open a new window when I pick my first selection, any other selection after that opens in the same "new" window. Can anyone think of a reason why this would happen? It doesn't make any sense to me. Thanks.

Also, if I open a new window and make another selection from the list, it will open the selection in the original window it was opened in. I don't know how on earth I did this, but it is kind of annoying.

Start by using the following as your form element:<form action="" method="post">

Ok, sometimes I wonder how I miss these things. I used target instead of action, so the target was itself, but it was opening itself in a new window. I changed it to action and it stopped happening. I feel so absentminded sometimes, lol. Thanks Bokeh.

target is a new window... and the argument to target is the name given to the window, which may or may not already be open. Also do not use PHP_SELF as the argument to action; just use an empty string, as I posted.

Ok, I understand what you are saying but why? Every book I have ever read says to have a form refer to the page it is in for php code says to put <?php echo $_SERVER['PHP_SELF'] ?> for the action. I understand why putting nothing in there will accomplish the same thing, but then why do they tell you to do that?

Because the people that wrote the books obviously were not award of the security vulnerabilities.

Ok, well, now you have caught my interest. Could you elaborate a little more, what kind of security vulnerabilities are there with that? If anything, I am trying to keep my pages as secure as I possibly can and if that is a huge opening I need to know so I can go back and fix a lot of my other pages.

Ok, since you mentioned it I have been looking around find info about security vulnerabilities in php and everything I have seen has to do with running php as a cgi, but nothing about running it as a isapi? Well, as long as I am running as a isapi I don't have a whole bunch to worry about, do I? Before I installed php I read a ton of papers about security holes in php cgi, so that is why I went with using it as a isapi, and so far it has been working great. If the same security issues are there in the isapi it would be great if someone said something, because I don't know how to find them.

Running PHP as a CGI is probably more secure overall as it allows it to be run under user IDs other than that of the calling webserver.