I have a project where I am going to create a calculator using PHP. I have done all the basic arithmet ic operation and it is operating well. My only problem is that, if the user for example had already entered numbers and he/she chose to add it, and after that, if the user would want again to enter another input, the previous answer should be erased and the newly entered input should have an empty space first. Here's our code:
Use javascript - when any of the buttons are pressed, clear the input field.
If you MUST use PHP, just set the input's value to value='', so when the page reloads, it's empty.
Related
Problem
I am developing an application (in PHP) in which, I will show the user a report of some derived values based on previous entries he had done and the user will check for correctness - if correct, then the user can press Save button to submit it to database. Otherwise, the user should be able to edit previous entries, but he should not be able to change derived values in that report.
For that purpose, I have enclosed these values in a hidden input field, so a normal user can not alter these values, but if web developers could inspect the element in their browser and change these values.
Can we prevent these type of attack? If so, how?
My thoughts
I can make a string of all hidden fields, encrypt it and save in another hidden field - after postback I can cross-verify actual value and encrypted value.
Is this the correct way to achieve this? and how to do this
What do you think?
It's very hard to get a good idea of what you are trying to do but perhaps a solution could be to display a form with input fields disabled (http://www.w3schools.com/tags/att_input_disabled.asp) then have at the bottom of your page e.g. Is this information correct? .. Then 1 option to Save, and one option for No/Edit. Then do an if(isset($_POST['edit'])) { .. run form again but with input fields not disabled }
Only have your SQL update code in the 'edit' section of the code, and have a seperate SQL update code for the save section which just moves the values from wherever you are grabbing them from, to wherever they need to be.
Hope that helps.
If there are derived values that you need to fill out your form, but don't want to use hidden fields - I suggest using session variables that would contain those derived values as needed. Depending on how many of these forms there are, and how many users will be using them - the overhead is usually negligible with this number of fields (in the 30s)... if you discard them when not needed of course.
I've been reading PHP form handling tutorials, and they suggest using a hidden field in the form so PHP can use something like IF ($_POST['hidden_field'] == whatever to detect whether the form was submitted or only displayed.
But after getting XDebug working with Notepad++ and stepping through the code and observing the variables, it's not clear to me why we can't just go IF ($_POST['submit_button'] == 'Ok') and do away with the hidden field entirely.
After all, there doesn't seem to be a time when the hidden field is set without the other form fields being set too (even if they're empty). The first time through, when the form is being displayed and before it has been submitted, the $_POST variable already exists, but it is empty. I suppose we could also use IF (!empty($_POST)) to see if the form has been submitted?
Is there a special case I'm missing where the hidden field is necessary to detect form submission?
EDIT: Ok, the special case I was missing and that requires the hidden field appears to be this. http://www.vbforums.com/showthread.php?562749-PHP-Checking-if-a-form-has-been-submitted-the-correct-way It seems that if you hit Enter to submit the form, the $_POST variable will not include the value of the submit button. Chrome doesn't seem to behave that way but maybe other browsers do.
Is there a special case I'm missing where the hidden field is
necessary to detect form submission?
To detect the form submission you don't need a hidden field in the form but some times it's used as a spam protection. For example, if you put a hidden field in your form, like
<input type="text" name="humans" id="humans" class="humans" />
You may use a css class to hide the filed like
.humans { display: none; }
and when you check the form submission, you may also check if the field is empty or not, like
if(!empty($_POST['humans'])) {
// it's spam
}
else {
// it's human
}
Because, bots/spammers (using automated script) can submit the form and basically the script tries to fill up all the fields and doesn't know about the hidden field that you have put to catch it and this way you may determine whether it's submitted by a human or bot. You may read this article for more information and better understanding of spam blocking..
No, you have the right idea.
I wouldn't recommend doing this, however - sounds like whoever wrote the tutorial is a bit of a newbie. ;) If you're using POSTs for your forms already, I'd stick with the more traditional (and simpler) method of detecting whether the form was submitted or if someone is just viewing the page by means of the HTTP method ($_SERVER['REQUEST_METHOD'], as "GET" or "POST" in PHP).
Why implement a [hidden] field to check if the form is submitted when you must have other fields to check by if you have a form in the first place.
Other than checking if submitted, the hidden field is redundant, and so just pointless extra code.
If you have multiple forms on a page, name the submit button, if only one, just check if $_POST isset(), then go about validating data, etc etc
You can use !empty($_POST) instead, but I try to avoid this (depending on scenario) as I like to tell the user they did not enter anything, otherwise user clicks submit and it just hows them the blank form again.
Sure they would likely know they're messing around, but perhaps they thought they typed something, for numerous potential reasons.
Always good to keep users appraised, especially of any potential mistakes on their part.
There is no difference in using a hidden field just to check that the form has been submitted.
But let's say you want to dynamically post a value that there is no reason to show in the form.
For example you have an array $user that holds all the data of a user. The user submits the form, and you pass as a hidden field $user['id'] to work with their id after the submission.
Or you find their language through IP or whatever and pass it as a hidden field to show a message in their language.
Although I don't do this myself, I would say that it can be useful to undermine curl or other methods of accessing the site outside of a regular browser - of course the hidden field has to differ with every request.
Yes, there are multiple use of hidden field to validate a submit
as you mentioned, differentiating between form view and submission.
as #kingkero mentioned, a way to block form auto submissions by robots.
and in case of editing an existing record
a primary key is required to locate original record, and it should be hidden so user can't change it
you can save old data somewhere in server side before sending to browser and then send a reference key to that data as hidden field, later it can be used to compare old and new data to determine what has been changed.
in multi-user system, if more then one user select to edit and save a specific record at the same time then there is chance that they can overwrite each-other!! to prevent this situation a hidden field can be used to determine and notify user if selected record has been changed during form load and submit period.
I have searched over SO for quite awhile so I apologize if a similar question is asked and answered but I don't believe there is.
I am using a PHP validation script and jQuery Validate to process all of the forms on my site. With known fields, no issues. However, there are pages which a user can enter additional person(s) information.
A user is asked to enter his family member's names in a form. The user can submit the form or choose to add additional family members to the form. I have not quite figured out how to properly cycle through all the fields and display unique messages based on the users input in jQuery but know I can do so with metadata and the validation plugin.
My issue lies with PHP. I can take each array and run though foreach loops, however, if an error is found in ANY field, an error is generated and the form is displayed again with all fields' previously entered data. I am unable to determine how to point each field's original data to it given the fields are built dynamically when errors appear.
The SIMPLEST METHOD I can come up with for demonstration is this:
A user must enter the percentages of pie he wants his friends to eat.
He must give out 100% of his pie. The user can choose to dynamically
add friends to his pie eating extravaganza but each person must
receive atleast 1% of the pie and they must all together eat 100%.
Sample code
I have created a sample script here which shows the form setup but obviously there is no PHP backend to test. You will need to use your imagination the backend works (I have added into the comments in the html). The same principle would apply with PHP SESSION variable since this data would need to be passed from page to page (if a user revisits this page, the amounts entered for each piece of pie should display). Also, I think it goes without saying but this data MUST BE validated server-side.
Will you not be reloading the page in the event of a PHP error? In which case you know the index of the error in the foreach loop, saved off to some variable - most likely an array to handle multiple errors. When you print the options back out and you are looping through the submitted array again can you not add an additional css class to the text box when you reach a count that is in your error array.
I am using a Joomla form add-on.
the form already captures logged-in user-name on submit.
Now I want to create two fields
verified- a button field, which allows me to add javascript code for the button.
Verified by - (it can be a calc field type, where I can use both Javascript and PHP)
Every time the button verified is clicked, the verified by field captures the logged in user's name, if the button is clicked second time by another user, it adds the name of that second user in the verified by field, not overwrite it.
Your question isn't very clear, but from the sound of the question's title you might want to check out MySQL triggers.
I have a form I need to auto fill it using Ajax and php. Suppose My unique field is mobile number. So when form appears firstly person has to fill mobile number. If mobile number exist in the database than all the rest field retrieve its value that is his name, email etc, making all the text fields disable.
my approach to this work is on blur effect I can send value through AJAX. but how call values in array. I have called only single value through echo; but have not called array back from java script page.
Secondly I need jquery to fill all form with respective values and disable particular fields in form.
Please give me some more idea to make this approach better and provide some hint to implement it efficiently.
have you tried Autocomplete from JQuery UI?
http://jqueryui.com/demos/autocomplete/
it is very easy to use, it uses ajax and can be easly used with php. Tell if you will have any problems.
A simple way to do this is to separate your page into 2 forms. The first form will contain only the mobile number field, while the second form will not be initially visible. This way, the user will be forced to fill in his mobile phone before doing anything else.
Submitting the first form will trigger an ajax call to your php file which will check whether the mobile phone exists in the database or not. If it exists, it will return a pre-filled form. If not, it will return an empty form. Therefore, there is no need to change the values of the fields with javascript. Now, all you have to do is to take the response of the php and put it into a div under the first form.