I'm writing a site in PHP.
And I have a simple registration form.
<form>
<label...></label> <input .../>
</form>
I want to add a confirmation field:
<input type='hidden' name='hiddeninput' value="jn3kjnv3kjvn35">
But how does this code look on the server side?
Do I need to save every hidden value to the database whenever registration form is loaded?
I'm trying to make sure the form is not being filled in by bots.
That's why I need a random hidden value that is unique for every form submission.
Suppose every time I generate the registration page - I generate the unique value for "hidden" field.
When the user submits the form - how do I compare the submitted value to the one that was generated (as once it's generated - it's not stored anywhere in the site).
Basicly , you should use a function that generates a random string (hash for example)
and sessions to "remember" this string.
Aftet submitting the form , you'll check the INPUT's value and cross it with the SESSION's value.
For instance:
Form.php
<?php
$hash = md5(time());
$_SESSION['form_xx'] = $hash; //in case you have more than one form.
?>
<form method='post' action='do.php'>
..
..
<input type='hidden' name='secret_key' value='<?=$hash?>'>
</form>
do.php
if($_POST['secret_key'] == $_SESSION['form_xx']) //Just make sure your making the posted value SAFE
//He's ok.
else
die("arggg...those hackers");
You need to add a name to the field, too. It works like pretty much any other HTML field.
I now use Ruby on Rails framework that solves it out of the box.
Related
I have a page that contains a form. This page also has a PHP script to set some variables.
These variables are then submitted as hidden values when the user clicks submit.
I have a requirement to take a users entered value (amount) and then set that as a variable inside the PHP , then post the form. Is this possible ?
I cannot just sent the form submitted value as it must go through a MD5 hash first in the PHP script. This is a requirment for Realex creditcard payments.
I was thinking this might be possible with JavaScript?
EDIT
Just to clarify , the page has PHP (simplified here for example)
<?php
$amount ="";
$tmp = "$timestamp.$merchantid.$orderid.$amount.$curr";
$md5hash = md5($tmp);
$tmp = "$md5hash.$secret";
$md5hash = md5($tmp);
?>
All of the above variables are pre-defined and dont change, however the amount is dependant on what the customer enters.
The form is on the same page as the above , so when the customer enters a value , then hit submit ... this along with the md5 hash above is sent.
<form>
<input type="text" name="donate_amount" value="">
<input type="hidden" name="AMOUNT" value="<?=$amount?>
</form>
but Im not sure how to do this dynamically before posting.
I'm not sure if I'm getting this correctly without seeing code, but from what I got from it what I think you want to to is save whatever it is to a session.
so if its coming from input
$_SESSION['derp'] = Hash::howeveryouhash($_POST['derp'])
or if hash happens after input is gotten just save the hashed input to a session?
I'm not sure if this what you meant, but if it is, be sure sure to reference the php manual to insure proper use of $_SESSION!
You need to know the final amount before you create the hidden form Gary. There's no point creating the hash without it.
You should ask the user for the amount they wish to donate on the previous page. Then you can present a final "Donation Overview" page containing the hidden form, and the "Proceed to Payment" button.
Whatever you end up implementing, don't put the Realex shared secret in the javascript on the page! This must be kept secured on the server side.
How about doing this:
<input type="text" name="amount" onchange="ajaxFunction(this)" value="" />
Then when the input field changes the function ajaxFunction calls a PHP script sending the value. In the PHP script you can store the value in $_SESSION['amount'] for later use.
function ajaxFunction(obj) {
$.post("store_amount.php", { amount: $(obj).val() } );
}
Requires jQuery.
How can I submit a form to itself without clearing the data in the fields using HTML, javascript and PHP?
You could take different approaches (e.g. cookies, jquery, etc...), however HTML + a line in PHP are more than enough in this case. Try this example code:
<form name="test" method="post">
Your Name: <input type="text" name="YourName" <?php if (isset($_POST['YourName'])) echo 'value="'.$_POST['YourName'].'"';?> >
<input type="submit" value="Submit">
</form>
In the code above if something has been posted to the receiving page (that can be the same page, such as in your case), then the posted value is printed out in the corresponding field. You can use this approach for all the fields composing your form.
If you want, you can also use similarly the $_GET method in the form.
If you use the traditional form submit, you need to save the parameters and rewrite the form input elements when you write the form the next time. But a better way is to use AJAX -- then the field data is sent without a form submission, and the input elements retain their data. See this link: http://www.w3schools.com/ajax/default.asp
I have a <form> with an action attribute.
I would like to change the value of action based on the value of an <input>.
The value is provided by the user. If the value is page1.php, the form will be submitted to page1.php. If the value is page2.php, the form will be submitted to page2.php, and so on.
Right now I'm achieving this using JavaScript, however it doesn't work on a browser with JavaScript disabled.
Is there any way to make the action non-static without JavaScript?
You can do this without invoking any javascript at all.
PHP example;
<?php
/*if no destination was set previously the form will post back to itself*/
$action=isset($_Request['destination'])?$_Request['destination']:'';
?>
<form name='a-form-name' action="<?php echo $action;?>">
/*include other inputs etc as required.
Include a 'destination' input in _all_ forms involved.
You can of course name it whatever you like. But should always be the same name in all forms involved.
*/
<input type='hidden' name='destination' value='the-desired-destination-of-next-action'>
<input type='submit' name='whatever' value='Click here'>
</form>
When you press the submit button it will go to whatever destination you set in the previous submission or 'destination' in the url query string.
You can even make the destination hidden input's value dynamic by using a variable instead if need be. Branching can be quite easy and extensive using this method.
HTH
If you just want to receive the value on the server side, than using get as the form's method will work (you end up with page.php?my_var_name=my_var_value).
If, however, you want to direct the form to a completely different page based on the value of your input, you'll either have to use JS, or have a "catchall" page on the server side that gets the form and redirects to the final page based on the value.
After filling the form when submit, accidentally due to some filling error ,the form is not submit and return to back,in this condition the value of all text box is blank. i want to stable value of all fields in this condition . I'm using php with smarty framework. Please reply with solution as soon as possible.
Thanks.
If the form is submitted to the page that contains it then you will have access to the submitted values, and can use them to populate your form. For example, if you are submitting the form via POST:
<input name="something" value="<?=$_POST['something']?>" />
If you are submitting the form to a different script, you could send the values back to the page with the form as URL parameters, or you could use temporary session variables, and unset them when the input passes whatever validation you are using:
$_SESSION["temp_something"] = $_POST["something"]; //In form processing script
Then in your form:
<input name="something" value="<?=$_SESSION['temp_something']?>" /> <!--In form-->
You can fill the form fields, on the second round, by filling the content inside the value attributes of html tags, like so:
<input type="text" value="<?php echo $_REQUEST['test']; ?>" name="test">
Pay attention: this is a fast and simple solution. It gives you an idea. In good web programming practice you should sanitize the form data received by client in order to avoid security issues.
I have a form with two submit buttons.
The user fills field-A and hits submit.
Done that, some input fields will be filled with data.
After that first submission, the value on the field-A should not disappear.
How can we preserve this value after the first submission?
Should we, on the field-A value attribute, place:
value="<?php echo isset($_POST['fieldA'])) ? $_POST['fieldA'] : ''; ?>" ?
The form submits to self.
Update - Additional details:
This is a form that will have two submit buttons on the same page (sort of speak).
Submit Button A - Will grab some data based on a input field, and fill the other input fields on that form.
Submit Button B - Once the form is filled, it will use all that data to do another submission.
This is a very simple case, no frameworks are in place here. I do have, however, some sort of MVP structure here.
Thanks in advance,
MEM
In general, such things being done using 2 forms, no one.
And GET method, not POST. At least for the first form.
But as you cannot ask a question, it's impossible to give you an answer.
Here you go:
index.php
<form action=edit.php>Enter name: <input name="name"><input type=submit></form>
edit.php
<? $row = dbget("row","SELECT * FROM domains WHERE name = %s",$_GET['name']); ?>
<form method="POST" action="save.php">
Edit data for <?=htmlspecialchars($row['name'])?>:</br>
NS: <input name="ns" value="<?=htmlspecialchars($row['ns'])?>"><br>
Another: <input name="another" value="<?=htmlspecialchars($row['another'])?>"><br>
<input type="hidden" name="name" value="<?=htmlspecialchars($row['name'])?>"><br>
<input type=submit>
</form>
save.php
do whatever you do usually to save info
I would store these values into $_SESSION, as user fabrik said. This way they can be stored across the entire form submission process(assuming it is multiple pages) and posted all at once at the end.
Assuming you're having some kind of submission system with a "next" button to go to the next set of forms, using session_start() and $_SESSION is certainly the best method. More information could be found here, or various tutorial sites--
http://php.net/manual/en/reserved.variables.session.php
It's ok to do that with $_POST, some people dont like the ternary operator but for me it works just fine. Although, there are better ways to deal with forms using O.O.P. You could create a class that manages your form, and pass an array to the constructor of that class (eventually you could pass the $_POST) and the class will create your form according to the info submited. You could even use the same class to valdidate your form
I don't see the need of using $_SESSIONS, cause this is not information that you need to preserve during the whole session.. or not?
Try this:
<?php
$fieldA = (isset($_POST['fieldA']) ? $_POST['fieldA'] : '')
?>
// and in your form
<INPUT type="text" name="fieldA" id="fieldA" value="<?=fieldA?>" />
as you mentioned, this should work.