I have a page with three different forms. The second has to have access to the post vars submitted by the
first. The third has to have the cumulative post vars.
Even though an element such as a hidden field has the same id as another form element, it should
be valid if it exists under a different form element, right? I have done this in the past without problem
as far as submission processing, but the xhtml doctype syntax checker in my text editor (BBedit on Mac OSX) marks
the re occurrence of an element id as an error.
To be completely valid with respect to doctype I have to use xhtml transitional to allow name attributes (forms
won't submit with out them)
I don't want to have three different sets of hidden fields to transmit the same values for each different form
That requires huge amounts of redundant processing on the server side.
Thanks for reminding me that I can use the same name attribute and different ids. Sometimes I get wrapped up
in details and loose sight of the bigger picture
By the way, I posted a problem with using one form for the entire setup at:
https://stackoverflow.com/questions/21315920/browser-caching-post-vars
and I have not received any definitive answer there.
The id attribute MUST be unique per document. However, if you simply want various fields to accessible using the same key server-side, simply set the name attribute. name has no such requirement and can differ from the id.
Related
Can we somehow pass the type HTML input attribute value to the $_POST array or grab it anyhow else with PHP?
I am aware that I can create a hidden field and basically put the type of the real input into the value of the hidden field, but this seems a bit like "repeating" work to me.
I want to create a Form, where input values are submitted to the $_POST and I can detect the type of that input without the need to hardcode/map the single inputs to each a type.
In this way I could detect the field type and act upon without the need to create a "map" that maps my custom inputs (by name or ID) to a certain type, which I already declare in HTML form anyway.
It seems a real shortcoming that the type of an input is undetectable in a Form Submit - or perhaps (hopefully) I miss something?
Can we somehow pass the type HTML input attribute value to the $_POST array or grab it anyhow else with PHP?
Not per se.
I am aware that I can create a hidden field and basically put the type of the real input into the value of the hidden field
That is a way to do it.
It seems a real shortcoming that the type of an input is undetectable in a Form Submit
Usually you know what type of data you expect for a given field because you aren't processing them generically, so it would rarely be a useful feature.
perhaps (hopefully) I miss something?
No.
Well here is the breakdown;
GET accessed via $_GET in PHP tackling and POST accessed via $_POST in PHP are transport methods, so is PUT, and DELETE etc for a from it does not matter what method you use it only works on client side and only knows to map every thing in it into serialised query string or at least have it read for being serialised.
For example
<input type="text" id="firstname" name="fname">
it takes the name attribute and converts into this
?fname=ferret
See it didn't even bother with ID attribute. When we hit submit button form will only run through name attributes of each input and make LHS of the with value and add user input as RHS to the value. It will not do anything else at all.
On PHP side we ask $_GET tunnel are there any query strings in the request or $_POST tunnel. Each of these if there is any query string - emphasis on word string. explodes the string into array and gives it you. hence $POST['fname'].
Looks something like this
$_POST = [
fname => 'ferret',
someothingelse => 'someothervalue']
SO what you are trying to do is or at least asking to do is ...make browser change its BOM behaviour - which we cannot in real sense of the matter; to make form add some thing like this.
?fname=ferret,text
?fname=ferret-text
?fname=ferret/text
form by default will not do this, unless you run custom function updating each query before submit and that is pron to what we call escaping, 3/100 time you would miss it given the chance
Then on PHP side you want PHP to figure out on its own that after slash is type like so
$_POST = [
fname => 'ferret/text']
PHP would not do that on its own, unless you fork it make custom whatever like Facebook has done and then run it or at least make some kind of low level library but that too would be after the fact.
in case your not wondering, thats how XSS and injections happen.
SO query string standards are rigid to keep things a string with militaristic data and serialised.
So yes what you intended to do with hidden field is one tested way of achieving what you are want.
I am doing programming in PHP and HTML these days. But the problem I am facing is that many times the data is accepted by the PHP engine using NAME attribute used in the HTML syntax of Forms but many times (like when there was a multi-radio button program) ID and NAME together gave me the required output.
Can anyone here give me a nice explanation of the concept and the difference between these two? I already tried googling but I could not understand.
Help will be appreciated :)
The name attribute is used on form controls (like <input>) to associate a known label with a (possibly) variable value that will appear in the submitted data. It does not have to be unique, but PHP will only handle multiple fields which share a name properly if that name ends in [].
<input name="foo" value="bar"> will be available through $_POST['foo'] or $_GET['foo'] when the form is submitted.
The id attribute can be used on any HTML element so it can be referenced with client side technologies (such as <label for>, JavaScript and fragment identifiers in URIs). It does have to be unique.
NB: It is possible to use a name attribute to reference an element with client side technologies, but it is almost always a better idea to use id (or class for groups of elements) rather then adding a name attribute.
I'm passing user-generated HTML into a database and I'm trying to make sure that no malicious code is passed through. One of the steps I'm taking is to run passed code through pear's HTML_Safe class to remove vulnerable markup. However, one thing I've noticed is that the name attribute of submitted elements gets removed. Sure enough, when you look at the source code, name is one of the few attributes that's blacklisted by default:
http://pear.php.net/package/HTML_Safe/docs/latest/HTML_Safe/HTML_Safe.html#var$attributes
What's the danger in allowing users to pass values for name? How can values for name be used to nefarious ends? Any thoughts? If not, I'm tempted to modify the blacklist.
In HTML form elements, the name attribute is used as an identifier. Therefore, if you allow name then someone may be able to override your HTML name attributes (that you may have used) with one of their own. The first matching name found is often the one used by either Javascript or server side processing.
This would then allow someone to exploit any possible Javascript or server side form processing you may be using that references the first matching name attribute found.
It is not just form elements that can use name, but they would be the least safe ones.
Another override issue is if you are using Javascripts getElementsByName in any of your functions (as pointed out below), you could end up with a function that does not do what you expect.
Edit: Some corrections and a note about getElementsByName issue (as pointed out below).
I've Googled this and browsed through SO and Programmers.stackexchange and not found a mention.
Background:
I'm working on a project where the users and the designer would like me to truncate the text I output to an updateable form for visual appeal. They don't want the text to be cut off by the end of the input field and want the text in the box to fit the length of the box.
Problem:
I know how to truncate the strings and I know how to get my script to ignore fields that weren't updated. What I don't know how to do is keep the data integrity from breaking down when users start updating the fields. Because the fields would no longer contain the full value, this seems like it would introduce serious flaws when I update the database.
Question:
Is there any way that I can give them what they want in terms of a truncated presentation, and then cause the full text of each input to appear if they try to edit that input... or do I just have to go back and say "What you want can't be done?" I'm open to other suggestions too. :)
I think you may be looking for the text-overflow CSS property.
If I understand correctly, you have a few challenges here. You need to display some data in the form truncated, which is relatively simple. You also need to make the data display in full if it's edited, and also substitute in full data for truncated data when the form is submitted, but avoid wiping out changes that your users have made.
You could do this with jQuery. Display the truncated data, but use .data() to store the full data. Also use .data() to store a flag on each field so you know if it has been edited or not. When a field gets focus, sub in the full data. When the form is submitted, check each field's flag to see if it's been edited. If it has, leave it alone. If the data has not been edited, remove the field contents and swap in the full length data. Then submit the form.
You'll present truncated data, allow the full data to be edited, and avoid submitting the truncated data if it's not edited.
I would consider something along the lines where you keep properties that contains the truncated string and the fulls string, and use the truncated string for display purposes. When they click into the form field, you could replace it with the full string. If there are no changes, then the value of the input would match the full string property. Along that principal, if they didn't change anything replace it, with the truncated string again.
If they have edited anything, you could then dynamically create an edited property to store the edited version of the string from the input field.
Basically at this point it would just be some simple property tests/equality checks.
Im building a wordpress plugin for client that does a number of jobs.
My goal is to simply get all the input tags in some html and use the data.
I have some html(that contains inputs)
The user fills the inputs in and clicks save.
Javascript puts the entire htmlinto another hidden input for POSTING purposes.
I then retrieve the html from posted item ie: $_POST["my_html"]
I get the input elements using the DOM. getElementsByTagName.
But the input values are EMPTY.
Am I doing something wrong. Can this be done (above) ?
Why choose such a difficult path? Just submit your form normally and get the values from $_POST. As for your method, my guess (since no code is provided) is that you try to add whole DOM element as a string. You need to set each's elements value (element.value) not the whole element. I could clarify my answer if some code could be provided.
The correct way to serialize a form is not to store its' html markup. You should be storing key-value pairs instead, which can be neatly serialized in a number of ways, JSON being a very popular and easily graspable method.
There's also the possibility of submitting your form directly to the handling script, which has been a working solution since HTML 2.0.