I'm just curious what is the better method for edit buttons in an admin, keeping in mind the there could possible be 100s of these edit buttons on a page,
a form to use the POST variables
<form action="" method="POST" enctype="multipart/form-data" target="_self">
<input type="hidden" name="ID" value="123" />
<input type="hidden" name="name" value="ABC" />
<button type="submit" name="action" value="Edit" class="edit></button>
or a href to use the GET variables
Edit
I'm just curious in regards to speed and usability.
Any opinions welcome.
Server Side
Edit button or form button do not impact server side processing at all.
If you are looking to reduce the html file size , the get variable based approach could help and reduce that less than 5% extra overhead (can vary based on type of application).
Client Side
The % impact on client side will also be negligible based on how browser handles the submit action.
Side Notes
href links work only as a replacement for GET forms and not for POST.
url based approach is useful in cases like edit button where there is no user modified input
Even better is using the HTTP PATCH method which meant to represent partial resource modification.
You should avoid using GET requests when the outcome alters a resource (because the request will be resent by hitting the back button).
However since many browsers cannot send native PATCH requests you need a bit of trickery. Ruby On Rails for example uses javascript together with a method POST parameter to fake PATCH, PUT and DELETE requests - even on links.
Related
I'm a bit confused of do I need to prefix form input variables with i.e. ('car_', or 'bike_' corresponding to 'car_make', 'bike_make') or can I use same template for both forms without prefixing variables. And if so, do I still need to prefix the 'submit' field, or having different form name is enough to avoid data collision.
I have these two HTML forms on the same page:
<form action="" name="car_search_form" method="POST">
<input type="hidden" name="make" value="Audi" />
<input type="submit" name="car_do_search" value="Search Car" />
</form>
<form action="" name="bike_search_form" method="POST">
<input type="hidden" name="make" value="Schwinn" />
<input type="submit" name="bike_do_search" value="Search Bike" />
</form>
So, in the end I want to get correct value for $validCarMake via this code:
if(isset($_POST['car_do_search']))
{
$paramCarMake = isset($_POST['make']) ? sanitize_text_field($_POST['make']) : '';
$validCarMake = esc_sql($paramCarMake); // For SQL queries only
// TODO: Add data saving to database
}
Also, I want to understand the decision process of PHP engine. How it does deside which variable to choose - how it know on which button I clicked, and why not it does just submit all forms on the page? Also, if there would be any difference if I'd use "GET" method instead of "POST" besides that the one does put the variable values to URL? And how does the GET case it would process attached image to form submit then (as the maximum URL lenght is 255 chars as I know, and i.e. JPEG 100 kiB image contains thousands of chars. I'm asking this, because I also want to allow not just have that search on site's home page, but also allow to make search from a separate website's some kind of widget.
And the last question - if the HTML form processing differs somehow in PHP 7.X compared to PHP 5.X (i.e. PHP 5.4). I means does it caches somewhere the data, does it sends over the internet the attached images of the both forms and consumes network and server data, or it submit's only the data of the form on which I clicked the button.
As long as you keep the 2 input requests separate having the post arg "make" is completely fine. If you send the args in the same request the 2nd will override the first since it was last set.
As for how php decides on what is first it uses what is called order of precedence. This means what it comes to first it executes first unless explicitly told not to.
I want to understand the decision process of PHP engine. How it does decide which variable to choose - how it know on which button I clicked, and why not it does just submit all forms on the page?
When you click on a button, php will take the <button name="value"> value assigned in the name property of the input field or button clicked. This is how it can decide what's the form to submit. Consider that if you have two forms with the same name assigned to the submit button, the first one will override the second and php will only submit one form. This is because php execute operations with a logical order.
I want to delete (or update) a record in MySql through PHP. The options here are :
One.
Delete
Two.
<form action="process.php" method="post"><input type="hidden" name="pid" value="3"><input type="hidden" name="cid" value="10"><button type="submit" class="btn btn-danger">Delete</button></form>
Later, I will redirect from process.php. So, Which is better and may I know why?
In both options, it is working (delete or other). I just want to ask any advantages in form submit
One :- Using get method
Delete
Two :- Using Post method
<form action="process.php" method="post"><input type="hidden" name="pid" value="3"><input type="hidden" name="cid" value="10"><button type="submit" class="btn btn-danger">Delete</button></form>
Compare Get and post method :
Get Method ( Advantages and disadvantages )
Since the data sent by the GET method are displayed in the URL, it
is possible to bookmark the page with specific query string values.
The GET method is not suitable for passing sensitive information
such as the username and password, because these are fully visible
in the URL query string as well as potentially stored in the client
browser's memory as a visited page.
Because the GET method assigns data to a server environment
variable, the length of the URL is limited. So, there is a
limitation for the total data to be sent.
Post method ( Advantages and disadvantages )
It is more secure than GET because user-entered information is never
visible in the URL query string or in the server logs.
There is a much larger limit on the amount of data that can be
passed and one can send text data as well as binary data (uploading
a file) using POST.
Since the data sent by the POST method is not visible in the URL, so
it is not possible to bookmark the page with specific query.
thanks
I use Firefox add-on called "Session Manager" to save and restore sessions. I have simple php + html form:
<form id="form_id" enctype="multipart/form-data" method="post" action="upload.php">
<input id="name$key" type="text" placeholder="Name" name="name[]" value="$name">
<input type="file" name="fileToUpload[]" id="fileToUpload$key">
<input id="submit" name="submit" type="submit" value="Submit">
</form>
When I restore form inputs data with "Session Manager" I can see all data I need. When I click the "Submit" button, data have empty $_POST.
What can I do to not lose this data?
Maybe to use some JQuery or session_start(); $_SESSION?
Firefox add-on "Session Manager" seems to work incorrect if html <form> setted with attribute enctype="multipart/form-data". If you want to send some files through POST use <form> attribute enctype="application/x-www-form-urlencoded" in conjunction with php copy(). That's not clean solution. Maybe there could be other solutions with enctype="multipart/form-data", maybe some expirements with form accept-charset could give you better results.
The Session Manager plugin in Firefox is not at all related to PHP sessions. Same word, entirely different meanings.
A Firefox session is your browser tabs and the websites they are accessing. A PHP session relates to a user session on a specific website.
Most likely the data you are seeing "saved" in the forms is just field data that is saved in Firefox only, for the sole purpose of making data re-entry faster. It is not yet actually "in" the form fields, but saved in Firefox (only, not on the website) in order to make easier the re-entry of frequently typed data.
When you lose a connection to a website, you lose the data typed in the fields. Refreshing the page loses the data typed in the fields. There is no work-around for this, it's just how it is.
If you have further questions, please ask in comments below this answer.
Edit:
Re-thinking, it may be possible to achieve some kind of solution using a javascript/jQuery (please, jQuery) solution that involves detected when fields are exited (blur()) and subsequent grabbing of the data and saving in localStorage.
References:
https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
http://www.w3schools.com/html/html5_webstorage.asp
When is localStorage cleared?
What is the max size of localStorage values?
I want to hide form action from browser.
is there any way to hide this?
<form action='http://mydomain /secure/resetPassword' method='post'>
<input required type='password' name='pss''>
<input value='change' type='submit' >
</form>
There must be some tricks. I've searched a lot but no luck.
Thanks.
No, there is no practical way to hide the action from the user. Even if you figure out a way to hide it here and use JavaScript to set the action at some point later, the user can always look at the network request and see what data you're posting and where you're posting it to. So don't even bother.
I want to hide the form action from the browser. Is there any way to hide
this?
Yes. But this won't add security, just obscurity. Have no action at all and post the form to the same page, then let server logic initially inspect the POST and forward it on to your processing page behind the scenes on the server side.
Going a step futher
To be frustrating for attackers, have a resource load on the form page with a changing URI, e.g. <img src="validImage.png?nonce=892489"> so the attacker has to GET the form page, extract the image URL, GET that so the server notes that this has been separately requested, then POST (An advanced form of this is called CAPTCHA). It's sometimes fun to cause frustration like this, but it's just frustration, not security.
I want to have a user select a file and then have php put the contents in db. Now the last part (processing the file in php) is easy. But is there a way I can process a user selected file whithout a new page load?
If I use the following:
<FORM ACTION="upload.php" METHOD="post" ENCTYPE="multipart/form-data">
<INPUT TYPE="file" NAME="somefile"><BR />
<INPUT TYPE="submit" NAME="submit" VALUE="Upload">
</FORM>
Page upload.php automaticaly loads after which I can insert the uploaded file in a database.
I would like to use a combination of javascript, php and xajax to process the file. I don't think something like this is possible:
<FORM ACTION="javascript:xajax_proces_file()" METHOD="post" ENCTYPE="multipart/form-data">
<INPUT TYPE="file" NAME="somefile"><BR />
<INPUT TYPE="submit" NAME="submit" VALUE="Upload">
</FORM>
Because the file is not uploaded when function xajax_process_file() is called. Or is it? I think I do not fully grasp the principle of uploads with javascript, html and php.
Any help and or clarification is much appreciated.
It may help to think of this as a two step process.
First, the user fills in the form and submits it - step one.
Second ( which is the default action ) the specified target file takes the input from the form and uses it to do whatever. You can almost think of a form "action" as a link - the default action of a link click is to display the result of the link. The same goes for a form action - display the result of a form action.
Now, it's possible via JavaScript to disable the default action of an element for a particular event. It is also possible via JavaScript to access a browsers HTTP mechanism to send/receive HTTP request (which is what every page request is - whether from your URL bar or a page link or a Google search result).
And that is what AJAX in simple terms is - using JavaScript to use a browsers HTTP mechanism to send requests to a web server and possible receive a response back without the use of a traditional click event. You then combine this with the use of JavaScript to "turn off" default actions and instead follow the action specified by you to get information from a server and add it to the page without ever having to refresh the page.
Many times to prevent the defualt action from taking place for a certain element, you return false in your code. The same goes for your form. Using javascript:
form.onSubmit = function() {
blah blah blah.....Use ajax to send the information to the form handler
return false; //Prevents the defualt action of the submit event
}
If you are really new to AJAX, I suggest you check out this tutorial and then this one. Lastly, I would recommend using a Javascript framework like jQuery to help you - it is awesome and does alot of great stuff, but also has easy and built in functionality for AJAX.
Here is another tutorial to do a form submit with no page refresh (uses jquery).
an alternative is to make the form directs the action to an iframe, after processing the query in the iframe, proceed by JS to clear the form of the father