I have newbie questions.

Good Day. I often times find that in reading on line documentation & php books, that I go off on tangents, as there is so much to learn, get lost and thereby never feel like I fully understand a concept. Wish I could afford training, but its not an option at this time. After carefully imbibing two beginner php books (carefully, mind you) and making my way through parts of Luke Wellington's book, various articles on php security issues, and the php.net site, I am at the point where I need to confirm that my understanding of some basic concepts are correct.

Here is a simple example of something I would like to do. I have a html form. I want to print out the user's input to a second screen for them to look at. Is there anything incorrect, insecure or outdated about this code? I can get it to work, but I've heard all the warnings about beginner php books AND I trashed a hard drive using IIS on my Windows PC and am just now recovering. I use a web hosting company now who does have register_globals turned off. I don't want to put it into a database yet.

The html form:

<form action="CALENDAR.PHP" method=post>
Daily Calendars<input type="text" name="dayqty" size=3 maxlength=3><br>
Monthly Calendar<input type="text" name="monthqty" size=3 maxlength=3><br>
<input type=submit value="Submit Order">
</form>

The Calendar.php page that will print out to the screen:

<?php
session_start();
$HTTP_SESSION_VARS['dayqty']=$dayqty;
$HTTP_SESSION_VARS['monthqty']=$monthqty;
$dayqty = $HTTP_POST_VARS['dayqty'];
$monthqty = $HTTP_POST_VARS['monthqty'];

///validation check

if (ereg("([^0-9])",$dayqty))
{
echo 'Please enter a numeric value in the <strong>daily calendar </strong>quantity box. <p><a href ="order.html">Back</a></p>';
exit;
}
if (ereg("([^0-9])",$monthqty))
{
echo 'Please enter a numeric value in the <strong>monthly calendar </strong>quantity box. <p><a href ="order.html">Back</a></p>';
exit;
}
if ($dayqty == '' && $monthqty == '')
{
echo 'You have not ordered anything! <a href ="order.html">Back</a></p>';
}
else
{
echo $dayqty.' Daily Calendars<br>';
echo $monthqty.' Monthly Calendars';
}
?>

Notes: I've heard that preg() is more secure.

Thanks for any input. Grasshopper is learning from his/her mistakes. I've been reading that it is a better practice to develop a template (using PEAR) than mix up your html and php, but I cannot find a simple example of this. Grasshopper hops to far ahead.

Looks good for a start. A few suggestions:

-use $_SESSION, $_POST and $_GET instead of the (older) $HTTP_ _VARS.
the $_ vars are globals, and less typing.

-check if a variable is set before assigning:
if(isset($_POST['dayqty']))
$dayqty = $_POST['dayqty'];
else
$dayqty = "";

-I'm also wondering about these lines:
$HTTP_SESSION_VARS['dayqty']=$dayqty; #etc
at this point in the program, $dayqty e.o. haven't been declared or assigned yet, making these statements useless.
Should they be moved to AFTER the POST fetches?

-in this case, the function is_numeric() might be easier, with the same effect, as you're only scanning for numbers, no special combinations.

-As for templates using PEAR, never heard of it. And I've been doing PHP for a while now. So if it's really something useful, they're keeping awfullly quiet about it.

Good luck.

Thanks for your reply - lets see if I here you & ask a couple of questions.
In regards to:

-check if a variable is set before assigning:
if(isset($_POST['dayqty']))
$dayqty = $_POST['dayqty'];
else
$dayqty = "";

Yes thanks for this reminder, I somehow missed it in the documentation. Does isset() mean that I am verifying or setting the variable to 'dayqty', rather than it being set automatically with a name by the user, which they can than run away with and do heavens knows what? I am foggy on this.

In regards to:

-I'm also wondering about these lines:
$HTTP_SESSION_VARS['dayqty']=$dayqty; #etc
at this point in the program, $dayqty e.o. haven't been declared or assigned yet, making these statements useless.

I've read documentation that says after I start the session, I need to check if the session variables are set (as you mentioned above) and than I need to register the session variables to access them (and I want to access it to print it out to the screen). It gives the examples:

$HTTP_SESSION_VARS['varName']=$varName; ///I'll assume this is form is likely to be depricated
///or the shorter
$SESSION['varName']=$varName;

Thanks for your input.

isset:
isset simply returns true if a variable has been set, that is, there is a space in memory reserved for it. It is an easy way to check if a page was called by the form it expects to be called by. See also the PHP manual entry for isset.

sessions:
what you say was true in earlier versions of php. You had to save your variables through session_register(), which took a variable from the scope it was called from, and stored it in the session. However, after they introduced the global $_SESSION array, you no longer need to do this, as you can freely write and read from this array (also see isset function). In fact, on a system with register_globals off, the old style session system might very well not even work, as it works with the normal variable names, and not an associative array.
As for declaring them, I think what they meant was on the page where you INITIALIZE the session variable, you say:

after which you can read it on the next page like this:


and remember it's $_SESSION, not $SESSION. :-)

Great, thanks for passing on the info.

Next I'm going to be checking some code I wrote for inputting the content into a mysql database using phpadmin. Only a php nut would do this on a weekend!