strange behavior

[polorboy]

Ok, This code should look familiar to some of you:

PHP Code:

<?php
$query = "SELECT Company FROM Customer WHERE Sales_Rep = '$salesrep';";            
    $result = mysql_query($query) or die("SQL Error: " . $query . "<br/>" . mysql_error());
    
     while ($row = mysql_fetch_assoc($result)) {
         foreach ($row as $key => $val) {
            $msg .= "<option value='".$val."' >".$val."</option>";
        }
       }
?>

I was having a problem with getting php to make a form with a select box in it. I got it to work, and I can load a list from MySQL and make a selection box out of it. The wierd thing is that when I make a selection from the list and submit it through my form:

HTML Code:

	<form enctype='application/x-www-form-urlencoded' method='post' target='<?php echo $_SERVER['PHP_SELF']; ?>'>
	<select name='clients' id='clients'>
	<option selected="selected" value="">-Select One-</option>
		<?php
			print $msg;
		?>
	</select><br />
	<input type="submit" value="Search" name="search" id="search" />
	<input type="submit" value="Update" name="update" id="update2" />
	</form>

It always opens in a new window. I do not have any code anywhere on that page or any other page that tells the browser to open a new window. It will only open a new window when I pick my first selection, any other selection after that opens in the same "new" window. Can anyone think of a reason why this would happen? It doesn't make any sense to me. Thanks.

Also, if I open a new window and make another selection from the list, it will open the selection in the original window it was opened in. I don't know how on earth I did this, but it is kind of annoying.

[bokeh]

Start by using the following as your form element:

HTML Code:

<form action="" method="post">

[polorboy]

Ok, sometimes I wonder how I miss these things. I used target instead of action, so the target was itself, but it was opening itself in a new window. I changed it to action and it stopped happening. I feel so absentminded sometimes, lol. Thanks Bokeh.

[bokeh]

target is a new window... and the argument to target is the name given to the window, which may or may not already be open. Also do not use PHP_SELF as the argument to action; just use an empty string, as I posted.

[polorboy]

Ok, I understand what you are saying but why? Every book I have ever read says to have a form refer to the page it is in for php code says to put <?php echo $_SERVER['PHP_SELF'] ?> for the action. I understand why putting nothing in there will accomplish the same thing, but then why do they tell you to do that?

[bokeh]

Because the people that wrote the books obviously were not award of the security vulnerabilities.

[polorboy]

Ok, well, now you have caught my interest. Could you elaborate a little more, what kind of security vulnerabilities are there with that? If anything, I am trying to keep my pages as secure as I possibly can and if that is a huge opening I need to know so I can go back and fix a lot of my other pages.

[polorboy]

Ok, since you mentioned it I have been looking around find info about security vulnerabilities in php and everything I have seen has to do with running php as a cgi, but nothing about running it as a isapi? Well, as long as I am running as a isapi I don't have a whole bunch to worry about, do I? Before I installed php I read a ton of papers about security holes in php cgi, so that is why I went with using it as a isapi, and so far it has been working great. If the same security issues are there in the isapi it would be great if someone said something, because I don't know how to find them.

[bokeh]

Running PHP as a CGI is probably more secure overall as it allows it to be run under user IDs other than that of the calling webserver.