Mah first PHP doey

[Jedakiah]

I created a PHP calculator.  It's perty simple.  But it is the first thing I'vve done in PHP that I coded completely by myself. 

I believe however that if I were to put it on my site it would grant any hacker the ability to to delete my files n' stuff because the forms are unvalidated.  If that is the case, how may I fix this?  Obviously the forms only need to accept numbers...  how can I add that functionality?

Code:

<?php
    if ($_REQUEST['multiply'] == "x") {
      $result = ($_REQUEST['input'] * $_REQUEST['_input']);
  $action = "x";
    }
    if ($_REQUEST['divide'] == "/") {
  if ($_REQUEST['input'] == "0") {
    $result = ($_REQUEST['input']  / "1");
$zeroDivide = "1";
  }
  else {
        $result = ($_REQUEST['input'] / $_REQUEST['_input']);
    $action = "/";
  }
    }
    if ($_REQUEST['subtract'] == "-") {
      $result = ($_REQUEST['input'] - $_REQUEST['_input']);
  $action = "-";
    }
    if ($_REQUEST['add'] == "+") {
      $result = ($_REQUEST['input'] + $_REQUEST['_input']);
  $action = "+";
    }
if ($_REQUEST['C'] == "C") {
      $result = "0.";
    }
?>
<form action="calc.php" method="post">
  <table width="230" border="0" cellspacing="0" cellpadding="0">
   
    <tr>
      <td colspan="2">Input something in fields 1 &amp; 2 to use.</td>
    </tr>
    <tr>
      <td width="200"><input name="input" type="text" class="calcfield" id="input" tabindex="1" value="<?php 
   if ($result == "") {
   echo "0.";
   }
   else {
   echo "$result";
   }
?>" maxlength="10" /></td>
      <td width="30">
        <input name="divide" type="submit" class="operbutton" id="divide" tabindex="4" value="/" />      </td>
    </tr>
    <tr>
      <td><input name="_input" type="text" class="calcfield" id="_input" tabindex="2" value="0." maxlength="10" /></td>
      <td><input name="multiply" type="submit" class="operbutton" id="multiply" tabindex="5" value="x" /></td>
    </tr>
    <tr>
      <td><input name="return" type="text" class="calcfield" id="return" tabindex="3" value="<?php
  if ($zeroDivide == "1") {
    echo "You cannot divide by 0.";
  }
  else {
if ($result == "") {
  echo "Your equation equals 0.";
}
else {
  echo ($_REQUEST['input']);
  echo " $action ";
  echo ($_REQUEST['_input']);
  echo " = $result";
}
  }
?>" />   </td>
      <td><input name="subtract" type="submit" class="operbutton" id="subtract" tabindex="6" value="-" /></td>
    </tr>
    <tr>

      <td><input name="Submit" type="submit" class="return" id="C" tabindex="8" value="C" /></td>
      <td><input name="add" type="submit" class="operbutton" id="add" tabindex="7" value="+" /></td>
    </tr>
  </table>

[Kjuib]

I don't think you really have to worry about that. The biggest problem you would have with variables is if you use them to query a database. then you have to escape special characters so haxxors don't use code injection techniques.

call it good.

[Jedakiah]

Thank you your cubieness.  But, could you enlighten me on how to make them only accept numbers? 

[Kjuib]

This should check to see if any digits are not numbers.
There is not a HTML method to limiting to numbers, but this should validate with the php once it is submitted.

Code:

<?php

$charArray = explode("", $_REQUEST['input'])
$i=0;
$justNumbers = true
while ($i < strlen($_REQUEST['input'])) {
  if (($charArray[$i] < 0) || ($charArray[$i] > 9)) {
    $justNumbers = false;
  }
  $i++;
}

?>

[Jedakiah]

Okay, my intent was just to ensure that submitted data would be limited to number-only execution.  I read about a very short PHP script that could be submitted through a form much like my'n that would delete the entire directory. I don't know if it is a security vulnerability with the latest versions of PHP though, but to be safe I thought I'd ask.  Thank you sir. 

Now for the main reason I showed you all that code, what would you do different?  Is there anything I did that I should have done different or somethings that I could optimize?  I'm incredibly new to this and welcome all feedback. 

[Kjuib]

If I was writing the same application, here is what I would have done.

Code:

<?php

// Just call the $_POST or $_REQUEST once (I think this saves processing power
$input1 = mysql_real_escape_string($_POST['input']);
$input2 = mysql_real_escape_string($_POST['_input']);

// I think the POST should work, I do not know the difference from a POST to a REQUEST
if ($_POST['multiply'] == "x") {
  $result = ($input1 * $input2);
  $action = "x";
} else if ($_POST['divide'] == "/") {
// Using 'else if' will speed up the code because it only has to check for the action until it finds it.

...

The rest looks just fine.

[Kjuib]

I read about a very short PHP script that could be submitted through a form much like my'n that would delete the entire directory.

What was the link. I would like to read that.

[Gidgidonihah]

The difference between post and request is post only accepts variable from, well, post variables.
Request is either post or get.

[Jedakiah]

What was the link. I would like to read that.

It was somewhere in here.

What is "else if"? 

[Kjuib]

Code:

<?php

if (num < 1) {

} else if (num == 2) {

} else if (num > 3) {

}

This will just run a bit quicker then having 3 if statements. It only has to find the first on that matches then stops trying the ifs

[Latro]

its like saying "or"  in code.

[Kjuib]

bring it latro... you don't scare me...

[Jedakiah]

Hey! Thank you sir. 

[Gidgidonihah]

I'm sorry.  I forgot to mention that $_REQUEST isn't just $_POST and $_GET, it's $_COOKIE, too!

[ikonoclast]

I'm sorry.  I forgot to mention that $_REQUEST isn't just $_POST and $_GET, it's $_COOKIE, too!

whoopie dee doo.