Am using
<form action="<?php echo htmlspecialchars(Uri::getInstance()->toString()); ?>" method="post"
name="adminForm" id="adminForm">
However, theres dynamic link which is generated like on clicking link as
https://www.mywebsite.com/index.php?option=com_rsform&formId=1&form[car]=Honda&form[Model]=City%20Hybrid%20e%20HEV
Due to above code for htmlspecialchars link on clicking is just refresing the page. I understand the purpose of htmlspecialchars for security
Any workaround solution that the dynamic link as generated can be executed.
Related
This might seem a simple problem, but im stuck on this one. Hope anyone can help me on this
I'm working on server side form validation in PHP. Everything is working as expected as far as validation goes. But if an error is shown on input or the form gets submitted the browser navigates to the top of the page. How can I prevent this behaviour? I need the page where it is after I click the submit button
<?php include('process_form.php'); ?>
<form method="POST" action="<?php $_SERVER['PHP_SELF']; ?>">
<div class="form-row">
<div class="col form-group">
<label>Primeiro nome</label>
<input type="text" class="form-control" title = "Inserir nome" name="firstname" value="<?php echo $firstname ?>">
<span class="error"><?php echo $firstnameErr ?></span>
If I understand your question, you are asking quite a lot from just HTML and PHP. Remember that once the form is submitted, the browser navigates away from the current page and loads the form action page (in your case, it reloads the current page as per the directive action="<?php $_SERVER['PHP_SELF']; ?>".
So, how would you position the page at exactly the desired location if there was no form submission going on? That is how you would do it in this case. So, as suggested in the comments, you could modify your action directive: action="<?php $_SERVER['PHP_SELF']; ?>#id_of_form_container". For example, if your form is in a div structure like this:
<div id="contact_form_div">
<form method="POST" action="<?php $_SERVER['PHP_SELF']; ?>">
then your action tag would be:
action="<?php $_SERVER['PHP_SELF']; ?>#contact_form_div"
Alternately, you can do some basic form validity testing on the javascript side, during the form submit process. If, for example, a required field is blank, you can return false; - which will stop the submit process and return control to the user.
Here is an example of what basic javascript field validation looks like. And here is an example of using javascript/jQuery to interrupt the form submit process to perform that validation, and return control to the user (via return false;) if validation fails.
References:
MDN article on form validation - note the SmashingMagazine links at bottom
TutorialsPoint - more concise example of the same
Video tutorial of same (30 min)
This is what I currently have:
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
as you can see the form is already occupied by one action, however, I would also like it to direct to another URL and I don't if something like this would be possible. Unless there's another way where you can redirect to another webpage, that could work too
Can I add the pound symbol to form actions. For example, lets say that my form submits to forumsumbit.com, would it affect anything if I make it submit to forumsubmit.com#PostID2
<form action="<?= $_SERVER['PHP_SELF'] ?>?pageAction=POSTS" method="post" name="forum" id="addpost" enctype="multipart/form-data">
So that this, becomes this.
<form action="<?= $_SERVER['PHP_SELF'] ?>?pageAction=POSTS#PostID2" method="post" name="forum" id="addpost" enctype="multipart/form-data">
I want to do this, because I want the page to scroll to that section oft he page after it reloads.
Also, using the pound sign in urls have a specific name?
No. The part following the pound sign (called the "hash") is not processed by the server (unless you deliberately do something very strange to your server configuration). Having a hash in the URL won't affect anything about form processing, but it will cause the browser to jump to the named part of the page when the action page loads.
I have a cool html generator that generates html from a drag and drop interface. I have tried to customise it by adding some simple php to it for form validation. The problem I am having is that when I click "Get HTML" it changes my php code from:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
to something like
<form method="post" action="<?< echo htmlspecialchars($_SERVER["PHP_SELF"]);>>">
Is there a way to get it to show the html without messing up the php? It seems to just change the php tags themselves.
I'm building a form where users can upload files to my server. The upload script is in PHP and is secure but I'm unsure how secure my form action is.
At the moment I do the following on submit:
<form id="apply" method="post" enctype="multipart/form-data" action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, "utf-8"); ?>">
I've read about XSS and the $_SERVER array and how to use htmlspecialchars to secure it.
Is this enough? Should I be doing something else?
Just use action="", it will POST to the current page.
It's not secure to directly use $_SERVER['REQUEST_URI'] value, even if you use htmlspecialchars