I want to hide form action from browser.
is there any way to hide this?
<form action='http://mydomain /secure/resetPassword' method='post'>
<input required type='password' name='pss''>
<input value='change' type='submit' >
</form>
There must be some tricks. I've searched a lot but no luck.
Thanks.
No, there is no practical way to hide the action from the user. Even if you figure out a way to hide it here and use JavaScript to set the action at some point later, the user can always look at the network request and see what data you're posting and where you're posting it to. So don't even bother.
I want to hide the form action from the browser. Is there any way to hide
this?
Yes. But this won't add security, just obscurity. Have no action at all and post the form to the same page, then let server logic initially inspect the POST and forward it on to your processing page behind the scenes on the server side.
Going a step futher
To be frustrating for attackers, have a resource load on the form page with a changing URI, e.g. <img src="validImage.png?nonce=892489"> so the attacker has to GET the form page, extract the image URL, GET that so the server notes that this has been separately requested, then POST (An advanced form of this is called CAPTCHA). It's sometimes fun to cause frustration like this, but it's just frustration, not security.
Related
Problem:I have an RSS feed. As some of you may know, RSS feeds do not always update promptly (I'm using FeedBurner) so I'd like to provide the option on my webpage to update the RSS feed. This is a simple process, and I just need to ping an address. The catch is this: I'd like to stay on the initial page, and ideally refresh it.
I've seen some "solutions" around with using hidden iframes, and javascript, Ajax, etc.. What I am wondering is if there is an elegant way to do this using php/html.
Below is a flowchart illustrating exactly how I would like the system to function.
EDIT:
Here is the simple form code which I currently have:
<form action="http://url.to.ping" method="post">
<input type="submit" value="Refresh" />
</form>
This is a standard form, performing an action on submit. I require now that the browsers destination (as seen from the user) is a different url than that in the action. It is worth noting that the action page is not in my domain, and is not part of a domain which I own or have access to.
Thanks!
What i meant was,
/contactme.php
once they've submitted and come back to the page is there any additional variables like
/contactme.php?thanks=1
basically is there anything to declare they have just submitted and come back to the original page, if so..
You could do;
<?php
if(isset($_GET['thanks']))
{
$pingServer = file_get_contents('http://www.the.server.to.ping.com/pingit.php');
unset($pingServer);
}
?>
at the bottom of the page and it'll just hit that page.
This way you are not relying on JavaScript being enabled and the user is not hopped around multiple URLs.
What I have done when I needed the landing page to be different from the processing page is add a JavaScript redirection where one would put their "thanks for filling out my form" material.
So, the code process would be:
user fills out form, clicks submit
server-side validation and processing.
if success then location.href(URL, 0); else do error case
user is redirected to new URL (your refresh page)
I guess my question is in understanding the $_POST handling.
So I have two pages that handle 2 forms. Page 1 asks for some information that will be used in page 2. When submitted the form action uses the same page then redirects to next page upon validation, but only handles the data when $_GET variable ?usersubmit=1.
<form action="<?=$_SERVER['PHP_SELF']?>?usersubmit=1" method="post" name="form1">
<input type="text" name="field1">
</form>
So say I have page called form1.php. Upon submit its sent to form1.php?usersubmit=1. The page now assigns the posted data to session variables and then redirects to form2.php via header('location:form2.php').
<?
if($_GET['usersubmit']){
if($_POST['field1']){
#if valid then assign session variable and redirect to next form
$_SESSION['field1'] = $_POST['field1'];
header("location:form2.php");
}else{
#if invalid send error message
$error = true;
}
}
?>
My problem is in when users hit the 'back' button on their browser to edit data from a previous form. The browser doesnt re-post this data it just shows them a blank form. I'd prefer not to use $_SESSION data to fill out the forms because I suspect the re-post method may be a quicker and less problematic fix.
I also tried a javascript redirect instead of a header but browsers are smart enough to not send you back to a page that wants to redirect you so it doesnt work.
any help in understanding this would be greatly appreciated.
thanks.
The only way to handle it is via a session... HTML5 allows for storing of that kind of data but to be honest I wouldnt even look into it as a possibility just yet, altough it does work.
typically the back button will use all of the same get and post variables as was used on the previous locations page load. server side header redirect will not allow you to use the back button to get to the previous page since this redirection is done on the server side.
there are two ways to redirect using javascript window.location which will put your previous location into the browser history and therefore the back button will work, and location.replace which will not put a link in your history, and therefore not allow you to use the back button to get to the previous page.
alternatively, you could just use page two to process page ones form...
Also, you should use htmlentities() in your code. It closes a security vulnerability (see http://www.html-form-guide.com/php-form/php-form-action-self.html for more details).
<form action="<?=$_SERVER['PHP_SELF']?>?usersubmit=1" method="post" name="form1">
should change to something like this below.
<form action="<?=htmlentities($_SERVER['PHP_SELF'])?>?usersubmit=1" method="post" name="form1">
People
I want to know how to submit form without action attribute shown.
Like this
<form action="someact.php" method="post">
...
</form>
Some suggest to use $_PHP['SELF'], but I want my form to be processed using another php file like separating UI part and process part so that anyone can't see my process file ?
I want like this
<form method="post">
...
</form>
But it processed to the file I want.
Help please ?
Firstly, I don't quite understand why you would want this. The whole point of the action attribute is to tell the browser where to send the request, and "hiding" it achieves nothing - any half-way competent hacker (or even less than half-way) can still find the information you are hiding, no matter what you do.
Having said that, you could do something like this:
<form id="hidden_action_form" method="post">
<!-- ... -->
</form>
<script type="text/javascript">
document.getElementById('hidden_action_form').action = 'someact.php';
</script>
Why on earth would you need a "hidden" process file? That's impossible: the browser has to know where the request should be sent.
If you explain the problem you're having in the first place, and not the problem that arose from your solition to that problem, other people might be able to help you.
I get the impression that you mix up two things. The PHP-file is only on your server and will not be sent over to the browser. The server (normally apache httpd) processes the file and generates HTML code from it. This code is then sent over to the browser.
When you have a form you MUST have an action associated because as CodeCaster pointed out: The browser needs to know where to send the data. It's like a hyper link without setting the href-Attribute. Nothing can ever happen because the browser does not know what to do.
You can't do that. A form must always have an action attribute.
Noone can see the contents of the file that is going to process the form data (if this is your problem).
You won't be able to hide that without javascript. Even javascript won't hide it, but can post the data to another file while the user gets directed to the (public) file defined in the action of the form.
You can use an ajax post() call to POST data to another file. See the link provided to do this with jQuery and make sure that ajax sends the post first and then redirects/loads the user-content.
Notice though that if a client has javascript disabled, the whole POST will not be executed. Also if someone takes a look into your js, one can see the hidden filename there too, unless you password-protect the js file.
I have a search feature on my site that's POST based. Now, however, I want to be able to provide links that search for certain keywords, but this isn't of course possible because the form doesn't handle GET requests. Is there a way around this?
use the super global
$_REQUEST
Set the form's method to GET
<form action="/search" method="GET">
This will work if your search app on the server permits searching via get. Just of note, you should be using GET for search anyway. POST is to make modifications and post data. You're "getting" search results, so use GET.
You can use javascript to POST the form from a link. An example of how to do that is located here:
http://mentaljetsam.wordpress.com/2008/06/02/using-javascript-to-post-data-between-pages/
I would look at changing your form to operate using GET.
Using GET for the search mechanism is appropriate since GET methods are used for requests that are idempotent. i.e. you can perform them repeatedly without concern for changing state. The semantics of POST is that you're posting data and performing a change (regardless of whether that's really happening in this scenario)
<input type="text" id="searchcat"></input>
<form method="POST">
...
<input type="submit" onclick="this.form.action='/search?cat=' + document.getElementById('searchcat').value"></input>
</form>
Maybe this solution will help? Of course the "searchcat" control seems to be a kind of combobox. And onclick handler better to use as JS-function, not inline...
In fact when you click this submit - browser generates all HTTP-headers, collects the request body from your form data and then sends request with url, containing GET variables in itself. This way you'll have both GET and POST data in your search server-side handler.
Even better to change GET variables in action by handling onChange on your controls. But the example is more long and hard-to-read without IDE.
I want to have a user select a file and then have php put the contents in db. Now the last part (processing the file in php) is easy. But is there a way I can process a user selected file whithout a new page load?
If I use the following:
<FORM ACTION="upload.php" METHOD="post" ENCTYPE="multipart/form-data">
<INPUT TYPE="file" NAME="somefile"><BR />
<INPUT TYPE="submit" NAME="submit" VALUE="Upload">
</FORM>
Page upload.php automaticaly loads after which I can insert the uploaded file in a database.
I would like to use a combination of javascript, php and xajax to process the file. I don't think something like this is possible:
<FORM ACTION="javascript:xajax_proces_file()" METHOD="post" ENCTYPE="multipart/form-data">
<INPUT TYPE="file" NAME="somefile"><BR />
<INPUT TYPE="submit" NAME="submit" VALUE="Upload">
</FORM>
Because the file is not uploaded when function xajax_process_file() is called. Or is it? I think I do not fully grasp the principle of uploads with javascript, html and php.
Any help and or clarification is much appreciated.
It may help to think of this as a two step process.
First, the user fills in the form and submits it - step one.
Second ( which is the default action ) the specified target file takes the input from the form and uses it to do whatever. You can almost think of a form "action" as a link - the default action of a link click is to display the result of the link. The same goes for a form action - display the result of a form action.
Now, it's possible via JavaScript to disable the default action of an element for a particular event. It is also possible via JavaScript to access a browsers HTTP mechanism to send/receive HTTP request (which is what every page request is - whether from your URL bar or a page link or a Google search result).
And that is what AJAX in simple terms is - using JavaScript to use a browsers HTTP mechanism to send requests to a web server and possible receive a response back without the use of a traditional click event. You then combine this with the use of JavaScript to "turn off" default actions and instead follow the action specified by you to get information from a server and add it to the page without ever having to refresh the page.
Many times to prevent the defualt action from taking place for a certain element, you return false in your code. The same goes for your form. Using javascript:
form.onSubmit = function() {
blah blah blah.....Use ajax to send the information to the form handler
return false; //Prevents the defualt action of the submit event
}
If you are really new to AJAX, I suggest you check out this tutorial and then this one. Lastly, I would recommend using a Javascript framework like jQuery to help you - it is awesome and does alot of great stuff, but also has easy and built in functionality for AJAX.
Here is another tutorial to do a form submit with no page refresh (uses jquery).
an alternative is to make the form directs the action to an iframe, after processing the query in the iframe, proceed by JS to clear the form of the father