I have a simple HTML post with a php variable included as the value, I wish to use this in my codeigniter project what is the best way to do this.
Here is my correct code (I do have the form helper)
<form action="https://www.mysite.co.uk/1/" method="POST">
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>;
<input class="btn btn-primary" type="submit" role="button" id=""></input>
</form>
I may have misunderstood your question with my first answer.
If all you want is a post button, then you can write this
<input type="submit" class="btn btn-primary" role="button" value="Send" />
Or use the form helper
<?php echo form_submit('BtnName', 'Send'); ?>
// Would produce:<input type="submit" name="BtnName" value="Send" />
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_submit
You can do what you are doing:
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>">
Or use set_value like this:
<input id="start-test" type="hidden" name="userid" value="<?php echo set_value('userid', $userID); ?>">
This will repopulate the field value on form error. I have missed off the HTML special chars but you can include that still if you feel like you need to, but I presume this is an id from a database, that is set with auto increment and as it is not user generated data the use of html special chars here might be a bit unnecessary.
In your controller you can access the post variables like this:
$posted_id = $this->input->post('userid');
However, you should be using form validation on posted data. This is quite a big topic but you can read about the above in the docs. Also referring to your User ID directly is not always a great solution since this form can be easily manipulated. You can help to alleviate that somewhat with CI CSRF protection and using form_open but it is often best to use sessions and get the ID from there. You should not ever have to include a user id in a hidden form variable.
Set Value
http://www.codeigniter.com/user_guide/libraries/form_validation.html#re-populating-the-form
Reading post variables
http://www.codeigniter.com/user_guide/libraries/input.html#accessing-form-data
Form Validation in general
http://www.codeigniter.com/user_guide/libraries/form_validation.html#form-validation
Form open and CSRF
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_open
CI Sessions
http://www.codeigniter.com/user_guide/libraries/sessions.html#session-library
If you are not familiar with security practices it is sometimes best to get to know and use a mature and developed authorization and authentication library. There are many so I will not recommend one here. Just do a search for one and find one that suits your needs.
Related
Below is my form- which value i like to update into database.
<form action="#" class="form">
<div class="form__slider">
<div class="form__slider-rating" id="slider__rating"></div>
<div class="form__slider-value" id="form__slider-value"></div>
<!-- <input type="number" class="form__slider-value" id="form__slider-value" value=""> -->
</div>
<input type="hidden" name="movie_id" id="movie_id" value="<?php echo $post_id; ?>" />
<input type="hidden" name="name" id="name" value="<?php echo $userName; ?>" />
<textarea class="form__textarea" name="remark" id="remark" placeholder="Review"></textarea>
<button type="button" class="form__btn">Send</button>
</form>
and in site it was look like this
This blue mark value I need to update into database. How to do that?
Regarding PHP, you need to handle a form.
Firstly, write a code that would handle the form itself, you can do that, by putting some php on top of your page;
if(isset($_POST['form-slider-value'] && $_POST['form-slider-value'] !== null) {
$value = $_POST['form-slider-value'];
//Database handle
}
Of course don't forget to add name 'form-slider-value' to the input.
Ideally there would be classes or similar stuff for that, I'd advise you to use some kind of framework.
Basically. PHP and FORMS works with handling them, once you submit your form with a button submit, it goes to a place where you address it Form action=. Then everything that is written within names will be at $_POST data.
It is not recommended to keep standalone code in one file, with HTML,css,PHP all together.
Hope that answered your question.
As well. This thing is very common to do or use. I advise you to learn about PHP Forms.
https://www.w3schools.com/php/php_forms.asp
And read about constructing a class. Id say do it the proper way.
Learn about frameworks as well, they are modern day time saviors once you learn it.
What's the Problem?
Primary Key is present in Url so the data for other records can be seen easily by easily changing the Url.
Rendered html has hidden field present. Anybody can easily change other records based upon this Hidden Field.
When I edit the page. My Url looks like below.
http://localhost/Category/3
and Below is the rendered Html
<form method="POST" action="http://localhost/UpdateCategory" accept-charset="UTF-8">
<input name="_token" type="hidden" value="AmAXKmqtct6VOFbAVJhKLswEtds4VwHWjgu3w5Q8">
<input name="CategoryID" type="hidden" value="3">
<input required="required" name="Category" type="text">
<input class="btn btn-success" type="submit" value="Update">
</form>
Please suggest some Url and Form security in Laravel 5.1
There are many worksaround which shall by handled by us to avoid such incidents.
Fix 1 :
If you don't want to reach the user's by just changing the url
(i.e., Directly passing the id in url )
You shall filter the requests by
if($_SERVER['HTTP_REFERER']!='')
{
}
else
{
exit;
}
You shall have this in your Middleware or even in your view if you wish
Fix 2 : Never worry about the _token that is visible when you see form source
It is just the token that is generated by laravel app which is to identify whether the request is from authenticated source or not.
If you edit the token and pass the form you will surely get CSRF Token Mismatch Exception
Infact this is one of the great feature of Laravel.
Interesting Point : You can also find something in the headers of the browser ;)
Happy using Laravel ;)
I can't figure out why my hidden input field is still showing in the source code of the page:
<form method="POST" ACTION="score.php">
<ul class="answer">
<li>
<input type="checkbox" name="answer_0" value="<?php echo $answer_0; ?>"><?php echo answer_0;?></br>
<input type="hidden" name="right" value="<?php echo $right;?>"/>
</li>
</ul>
<button type="submit" class="btn btn-warning">Submit</button>
</form>
What is wrong here ? I tried without the PHP variable and the hidden field was still showing.
There's nothing wrong here. Hidden inputs should not be used for data that the user must not be able to see. It's just used for data that they don't need to see, and would just clutter up the form.
If you want to hide something from the user securely, you should use session variables. These are kept on the server, not sent to the browser. If you do need to send something to the browser, and don't want the user to be able to get anything from it, you could encrypt it first. But remember, you can't trust that the user won't modify it before sending it back. Anything that comes from the browser can be tweaked by the user.
i send an HTML email with a form and a button like this:
<form action="http://myurl/index.php" method="post">
<input type="hidden" name="testing" value="123456">
<button class="btn" type="submit">SEND</button>
</form>
then in my index.php page i read the testing variable, in this way:
echo $_POST['testing'];
but i can't read the variable and give me this:
Notice: Undefined index: testing
there is a way to send a variabile from an html mail to a php page?
Oh. Got that Email Part now.
Most Mail-Programs won't do POST requests, for security/privacy reasons. Use GET here:
in HTML:
SEND
and in PHP:
echo $_GET['testing']
Of course the data is visible in that case - but that's the entire point.
Emails don't play well with a lot of fairly standard html. In this case, I'd use something like this:
Submit
And then style your anchor to look like a button. Then on your php side, use this to make sure the variable gets there:
print_r($_GET);
What happens when you replace:
<button class="btn" type="submit">SEND</button>
With
<input type="submit" value="Send" />
I realize you are probably styling it given that you have a class statement but you can still style an input type="submit" easily enough. I ran into issues posting variables using the object.
Also, FWIW, you don't need to specify the full URL in the action. In fact, you should probably do the following to safeguard your self against XSS attacks:
<form action="<? echo htmlentities('/path/to/index.php'); ?>" method="post">
I have a picture upload inside a form...
The file is a php file btw...
Problem is whenever this form is filled in, and the user clicks to upload the first picture, the form is submitted to itself and all the fields which the user may have filled in will go blank...
I know of one way to do it, alot of 'isset' in my php code, but is there any simpler or maybe better way I don't know of?
Thanks
You echo back the POST variable on your fields.
<form method="POST">
<input type="text" name="name" value="<?php echo $_POST['name']?>" />
<input type="submit" name="submit" />
</form>
When the form is submitted to self, the same data will be filled.
Well i do not know of anything else. I always use this:
<input type="text" value="<?= isset($value) ? $value : ""; ?>">
I think it is not too much code in the Templates, but it does the Trick.
Alternatively you could use some Frameworks wich abstract everything for you, but i cannot recommend some...