On this form, I have some input field and select boxes that should not be edited by some users.
However, I need those unable fields to be inserted anyway.
I'm thinking about passing those values to a hidden field (should this be done in js ?);
And submit the form by using those hidden fields instead.
Is this a good approach ? Please advice.
You can use hidden fields to pass the data in to your form, but bear in mind that if someone's planning mischief, they can edit the values with tools like Firebug and submit them anyway, so relying on hidden fields may lead to issues.
If you want to be properly secure, you'll have to do everything on the server side - check to see if the client has permission to access those fields when they submit the form. If they do, take the values they've submitted; otherwise, use default values stored in your PHP code instead.
Just put them in hidden field:
echo $form->hiddenField($model,'property');
Just use hidden feilds within your form, like so:
<input type="hidden" name="id" value="00001" />
No js is required.
I would go with disabled on checkboxes and maybe readonly on text fields. The thing is that you KNOW what value they should have when they are submited. So on server side you can just ignore them and use the value you have choosen. And ignore the data if someone is manipulating the post request.
Related
I've been reading PHP form handling tutorials, and they suggest using a hidden field in the form so PHP can use something like IF ($_POST['hidden_field'] == whatever to detect whether the form was submitted or only displayed.
But after getting XDebug working with Notepad++ and stepping through the code and observing the variables, it's not clear to me why we can't just go IF ($_POST['submit_button'] == 'Ok') and do away with the hidden field entirely.
After all, there doesn't seem to be a time when the hidden field is set without the other form fields being set too (even if they're empty). The first time through, when the form is being displayed and before it has been submitted, the $_POST variable already exists, but it is empty. I suppose we could also use IF (!empty($_POST)) to see if the form has been submitted?
Is there a special case I'm missing where the hidden field is necessary to detect form submission?
EDIT: Ok, the special case I was missing and that requires the hidden field appears to be this. http://www.vbforums.com/showthread.php?562749-PHP-Checking-if-a-form-has-been-submitted-the-correct-way It seems that if you hit Enter to submit the form, the $_POST variable will not include the value of the submit button. Chrome doesn't seem to behave that way but maybe other browsers do.
Is there a special case I'm missing where the hidden field is
necessary to detect form submission?
To detect the form submission you don't need a hidden field in the form but some times it's used as a spam protection. For example, if you put a hidden field in your form, like
<input type="text" name="humans" id="humans" class="humans" />
You may use a css class to hide the filed like
.humans { display: none; }
and when you check the form submission, you may also check if the field is empty or not, like
if(!empty($_POST['humans'])) {
// it's spam
}
else {
// it's human
}
Because, bots/spammers (using automated script) can submit the form and basically the script tries to fill up all the fields and doesn't know about the hidden field that you have put to catch it and this way you may determine whether it's submitted by a human or bot. You may read this article for more information and better understanding of spam blocking..
No, you have the right idea.
I wouldn't recommend doing this, however - sounds like whoever wrote the tutorial is a bit of a newbie. ;) If you're using POSTs for your forms already, I'd stick with the more traditional (and simpler) method of detecting whether the form was submitted or if someone is just viewing the page by means of the HTTP method ($_SERVER['REQUEST_METHOD'], as "GET" or "POST" in PHP).
Why implement a [hidden] field to check if the form is submitted when you must have other fields to check by if you have a form in the first place.
Other than checking if submitted, the hidden field is redundant, and so just pointless extra code.
If you have multiple forms on a page, name the submit button, if only one, just check if $_POST isset(), then go about validating data, etc etc
You can use !empty($_POST) instead, but I try to avoid this (depending on scenario) as I like to tell the user they did not enter anything, otherwise user clicks submit and it just hows them the blank form again.
Sure they would likely know they're messing around, but perhaps they thought they typed something, for numerous potential reasons.
Always good to keep users appraised, especially of any potential mistakes on their part.
There is no difference in using a hidden field just to check that the form has been submitted.
But let's say you want to dynamically post a value that there is no reason to show in the form.
For example you have an array $user that holds all the data of a user. The user submits the form, and you pass as a hidden field $user['id'] to work with their id after the submission.
Or you find their language through IP or whatever and pass it as a hidden field to show a message in their language.
Although I don't do this myself, I would say that it can be useful to undermine curl or other methods of accessing the site outside of a regular browser - of course the hidden field has to differ with every request.
Yes, there are multiple use of hidden field to validate a submit
as you mentioned, differentiating between form view and submission.
as #kingkero mentioned, a way to block form auto submissions by robots.
and in case of editing an existing record
a primary key is required to locate original record, and it should be hidden so user can't change it
you can save old data somewhere in server side before sending to browser and then send a reference key to that data as hidden field, later it can be used to compare old and new data to determine what has been changed.
in multi-user system, if more then one user select to edit and save a specific record at the same time then there is chance that they can overwrite each-other!! to prevent this situation a hidden field can be used to determine and notify user if selected record has been changed during form load and submit period.
I am trying to pre-populate a set of form fields by passing info via parameters in the URL. I have been able to do this with html forms before by simply adding the parameters to the URL, for example ?name=John. The variable I enter usually appears in the form field.
I am finding that this approach is not working on the latest form. I have been able to identify the parameter names but when I add them to the end of the URL they are not populated in to the form.
For example using website.co.uk/admin/usersearch.php?email=test#test.com I would expect the email field to be populated with test#test.com but the page refreshes and the form is still blank.
Is this because it is a .php form? Is there anyway round this? I only have the options to use the URL or javascript.
Thanks
Give your field value as <?php echo $_GET['email'];?>
Like this :
<input type="text" name="email" value="<?php echo $_GET['email'];?>" />
There is no such default procedure for pre-populating form fields built in to any web server. So, I'm not sure how you got it working earlier. Maybe the developer had actually coded it such that the form pre-population occurred.
For the new form, you could do as Prasanth suggested. However, since you require only JavaScript or HTML, refer to this prior question for further assistance: How to retrieve GET parameters from javascript?
Basically, what you'll be doing is getting the value of the field from the url and setting the field's value to it in the form using JavaScript.
I have a page with a single form, and a submit button.
What I'm trying to achieve is when some text is entered it's saved to the $_POST array and outputted below. However, what I then want to do is use the same form to then perform the same task (albeit different text), but ensure both/multiple values are saved.
I'm assuming the best way to achieve this would be to save them to an array as the page is reloaded; but i'm not sure where to start.
Thank you.
What you could do is make some hidden fields and init them with the data from the form,
wich has been edited the first time.
Then when it is posted for the second time you could use the values from the hidden fields and the new information from the normal fields
<input type="hidden" name="hiddenFieldName" value="<?php $_POST['normalFieldName'] ?>"
This seems like a simple thing, and maybe I'm just not thinking straight today, but right now I don't see it: How do I post data from a form (in a PHP application) that is not an input field?
The reason I need this is I have a form where the user adds some information in input fields, and this should then update other values in the form based on what the user has entered (doing calculations on this input). This data should then on submit be posted, along with the input from the user.
I tried using form labels, but could not get it to work. For one I couldn't get the value of the form in the jQuery using either .val() or .text(). And I'm not sure if I could get the values of the label in the CodeIgniter function anyway. I also tried simple <p> tags with ids, but that didn't work. I guess it has to be an element with the name attribute...
I'm using a helper in CodeIgniter to get the form values, like so:
$this->input->post('user')
This works fine for input fields, but as explained I need it for non-input elements. Of course I could have input fields that I update in jQuery, but there's a risk that the users will think they should fill them in...
So how do you do it?
How about using <input name="user" type="hidden"> and use Jquery to store the value in there.
Why are you storing input information in non-user-interface elements? Anything you want to be POSTed should be in an input field. Labels are not input elements, they are, well, labels. They label things. What exactly are you doing that you think you can't use input fields? You can disable them, set them to read-only mode, and modify their values in a similar way that you'd modify the text in any other element.
Using PHP; is there a way to check what type of form field was used to enter info in a form.
For example: was it submitted via a list/menu, radio button, text field, textarea, or checkbox.
I have this info stored in the database; but I'm trying to see if there is a way to do it without querying the database or using hidden form fields to pass the field type. Basically is there a function that already does this?
I don't know of one though I'm sure someone else might pop up with an answer. But if the forms in question are of your own design you could name the inputs as checkbox_ or textarea_ prepended to your normal name. Then parse them on the form processing side.
The data entered into a form will be submitted as a set of key:value pairs only.
With standard HTML form elements only there is no way of telling what type of form field was used to gather a particular value.
Only name/value pairs are passed through the Post data, so you would need to mark it in the field name to give your server script a hint of what it is. You could do this with a prefix/postfix. Depending on where you are in your project, you may want to look into using a framework and taking advantage of the advanced form handling options that they can give you.