[thelist] Send hidden data from a form

Benjamin Hawkes-Lewis bhawkeslewis at googlemail.com
Tue Dec 30 17:27:56 CST 2008

On 30/12/08 20:49, Santilal Parbhu wrote:
> //Print out drop-down list of all teams.  Identify the team chosen.  It will
> //be contained in HTTP_POST_VARS['team_name'].
> 	print '<p>Select Team:<select name="team"></p>';

Hmm. "team" will be the name submitted to the script; so I'd expect the 
team chosen to be in HTTP_POST_VARS['team'] not HTTP_POST_VARS['team_name'].

By the by, user agents cannot reliably associate labels with their 
fields if you do not explicitly associate them with the LABEL element 
and the FOR and ID attributes:


Using an explicitly associated LABEL element would allow (for example) 
users to select the field by clicking the label in a visual browser or 
speaking the label to speech recognition software, and would allow voice 
browsers and screen readers to read the right text when the field 
receives keyboard focus.
> 	$query = "SELECT DISTINCT teams_id, team_name FROM
> $compteams ORDER BY team_name
> 	if (@mysql_query($query)) {
> 		$r= mysql_query($query);
> 		while ($row = mysql_fetch_row($r)) {
> 			$team_id=$row[0];
> 			$team_name=$row[1];
> 			print "<option value=$team_name>";

As Anthony points out, unquoted HTML attributes are separated by whitespace:


So …

<element foo=bar baz>

has two attributes (foo and baz), but

<element foo="bar baz">

has one attribute (foo).

In addition to putting quotation marks round the attribute value, I'd 
recommend HTML escaping values as a matter of course:

print '<option value="'.htmlentities( $team_name, ENT_QUOTES ).'">';

That way, you cannot end up with the wrong characters due to unescaped 
ampersands be parsed into unintended entities, and cannot end up 
accidentally breaking the attribute due to an unescaped quotation mark.



Benjamin Hawkes-Lewis

More information about the thelist mailing list