Hi,
I have orderform.html and processorder.php and I am using PHP5 on Apache2. Calculation results I get are $0. On the other hand when I run same files on another server (with previous versions of both PHP and Apache, I suppose) I get all calculations right. Can anyone help me fix it?
Code of files:
'Orderform.html'
<form action="processorder.php" method=post>
<table border=0>

<tr bgcolor=#cccccc>
<td width=150>Item</td>
<td width=15>Quantity</td></tr>

<tr>
<td>Tires</td>
<td align="center"><input type="text" name="tireqty" size="3" maxlength="3"></td>
</tr>

<tr>
<td>Oil</td>
<td align="center"><input type="text" name="oilqty" size="3" maxlength="3"></td>
</tr>

<tr>
<td>Spark Plugs</td>
<td align="center"><input type="text" name="sparkqty" size="3" maxlength="3"></td>
</tr>

<tr>
<td colspan="2" align="center"><input type="Submit" value="Submit order"></td>
</tr>
</table>
</form>
------------------------------------------
"processorder.php"
----
<html>
<head><title>Bob'Auto Parts-Order Results</title></head>
<Body>
<h1>Bob's Auto Parts</h1>
<h2>Order Results</h2>

<?php
define('TIREPRICE',100);
define('OILPRICE',10);
define('SPARKPRICE',4);
echo '<P>Order Processed at ';
echo date('H:i, jS F');
echo '</p>';
echo '<P> your Order is as follows: </p> ';
$totalqty = $tireqty + $oilqty + $sparkqty;
echo 'Items ordered: '.$totalqty.'<br />';
$taxrate = 0.10;
$totalamount = $tireqty * TIREPRICE + $oilqty * OILPRICE + $sparkqty * SPARKPRICE;

echo 'Subtotal: $'.$totalamount.'<br />';
$totalamount = $totalamount * (1 + $taxrate);
echo 'Total including tax: $'.$totalamount;
?>
</Body>
</html>
--------------
Thank You
MNS

I have that book (which kind of sucks BTW, it encourages poor programming practices).

Anyway, stepping off the pulpit.

Your problem lies in register_globals. Since php 4.2, its defaulted to OFF, but this script depends on it.


$totalqty = $tireqty + $oilqty + $sparkqty;


You will want to add this code right before that snippet:


$tireqty = $_POST['tireqty']
$oilqty = $_POST['oilqty']
$sparkqty = $_POST['sparkqty']

You should code your scripts so that they do not rely on register_globals being on. The current standard is off

That code is directly from a php book, hence my statement at the top.

That is the problem with lots of php books.. they encourage things like this as well as littering your php code with bits of HTML echoing.

I have that book (which kind of sucks BTW, it encourages poor programming practices).

I have also this book and I think it very good. The above code is from the very first chapters and it is for introduction to PHP.

When you keep reading it has many advices on good codin practises, security issues etc.

Books are meant to be learning tools with proof of concept demonstrations or examples.

Does it have a section on security or how to install/ configure PHP and or Apache (sometimes MySQL too)?

You might also wanna try something to the effect of:



//we want only integer values here
$tireqty = isset($_POST['tireqty']) ? intval($_POST['tireqty']) : 0;

// or this, which is the same
if(isset($_POST['tireqty']))
{
$tireqty = intval($_POST['tireqty']);
}
else
{
$tireqty = 0;
}



With similar checks for other types of values that can be anything submit by anyone. Learn the easy way -lol

take a look:
http://zend.com/zend/art/art-oertli.php

Originally posted by innova
I have that book (which kind of sucks BTW, it encourages poor programming practices).

Anyway, stepping off the pulpit.

Your problem lies in register_globals. Since php 4.2, its defaulted to OFF, but this script depends on it.


$totalqty = $tireqty + $oilqty + $sparkqty;


You will want to add this code right before that snippet:


$tireqty = $_POST['tireqty']
$oilqty = $_POST['oilqty']
$sparkqty = $_POST['sparkqty']


I'm sorry, but, talking about poor programming practices, are you nuts!? You just gave him one of the worst practices anyone can do. If he wants to access those variables he can do one of two things which will make his code faster, and easier to use:


A:
$tireqty &= $_POST['tireqty'];
$oilqty &= $_POST['oilqty']
$sparkqty &= $_POST['sparkqty']

B:
Change:
$totalqty = $tireqty + $oilqty + $sparkqty;
echo 'Items ordered: '.$totalqty.'<br />';
$taxrate = 0.10;
$totalamount = $tireqty * TIREPRICE + $oilqty * OILPRICE + $sparkqty * SPARKPRICE;

To:
$totalqty = $_POST['tireqty'] + $_POST['oilqty'] + $_POST['sparkqty'];
echo 'Items ordered: '.$totalqty.'<br />';
$taxrate = 0.10;
$totalamount = $_POST['tireqty'] * TIREPRICE + $_POST['oilqty'] * OILPRICE + $_POST['sparkqty'] * SPARKPRICE;


The changes you asked him to make cause PHP to copy the $_POST variables, by referencing them, or accessing them directly you free up memory and decrease load time.

The changes you asked him to make cause PHP to copy the $_POST variables, by referencing them, or accessing them directly you free up memory and decrease load time.
Honestly, claiming that "you just gave him one of the worst practices anyone can do" is rather extreme as it doesnt make that much of a difference (though I admit the assignments are rather silly). The lack of input validation may make a difference in terms of security, which is what one should highlight as a natural consequence of using the $_POST array instead of assuming that register_globals is on.

Oh come on!

Give me a break. By using my (admittedly simple) modification, he doesnt have to rewrite the REST of the code, like option B that you suggest. Its rather common to map $_POST vars to short variable names to make your subsequent coding easier/more convenient, its not 'silly' at all.

As for pass by ref versus copying.. We are talking about 3 variables here each a couple bytes in size. No big deal.

If his example had been a huge array or something, sure.

Not to mention that this example is NOT complete, as it still trusts user input 100% and should really be filtered further. You do need to understand the context of the question though. This question is from an early chapter in an intro to PHP book, thus they really arent (yet) going into error handling, security, and all that.

Eh, my post was removed due to a link... Anyway, it doesn't amtter if it's just one variable, you're always supposed to write a script while thinking ahead. If you can't do that you'll add another variable, 'Oh, it's only one 4 variables...' and keep on in that way until you're up to hundereds. I admit, I was a bit harsh in my previous post, but this is something I'm very much against. Unless you absolutely have to have a copy of a variable it should always be passed by reference. And if you wanna talk about making a variable easier to get to, try the following code which is in a project I'm currently developing:


$this->engine->ini_data['poll']['config']['User'] = "Username";

Which can be made easier by:
$config &= $this->engine->ini_data['poll']['config'];

Now we can access the same variable by using the following:
$config['user'] = "Username";

ini_data['poll']['config']['User']

I am not sure I understand this. Why are you using such a (needlessly?) complex array structure in the first place?

Besides.. in this example, how often do you need access to only one member of such a large array (as opposed to looping through it)?

When I look at that all I think is:

$this->engine->datastructure['is]['too]'['complex']

Just to point out, unless you want to particularly avoid having your program use GET requests, use the $_REQUEST hash instead of $_POST and $_GET.

The entire data structure is used in a larger program to efficiently store, retrieve, and update ini file data. It works as follows, when used in an outside program:
$engine->ini_data['file']['section']['key']
When used within a module we either reference the variable or use the following:
$this->engine->ini_data['file']['section']['key']

The program is open-source, as soon as he (Note: I didn't write the 'engine' myself) decides to release it you'll see what I mean. So far everyone that has seen it as had just one thing to say about it: 'Amazing!' :D