What is PHP action? Is there anything called as PHP action? I tried to google it and look up different web forums but was not able to find anything related to this. A recruiter had sent me an email where he wanted someone with skills/experience in "PHP action". Just curious.
If it stood on its own like that, my guess is the recruiter doesn't know what he's talking about. Maybe it was a copy+pasting error from "Actionscript" or something.
"PHP Action" is not a defined term. At least not one I have ever heard of.
My tendency would be to respond anyway, and then sort the details out later when getting interviewed by the actual employer.
Action is a term used throughout the Symfony Framework 1.x, perhaps he was referring to that. They are basically page controllers. Few examples:
// apps/myApp/modules/myModule/actions/actions.class.php
public function executeIndex() {}
public function executeResult() {}
he Action attribute is crucial. It means, "Where do you want the form sent?". If you miss it out, your form won't get sent anywhere. You can send the form data to another PHP script, the same PHP script, an email address, a CGI script, or any other form of script.
In PHP, a popular technique is to send the script to the same page that the form is on – send it to itself, in other words. We'll use that technique first, but you'll see both techniques in action.
So we're going to be sending the form data to exactly the same page as the one we have loaded – to itself. We'll put some PHP on the page to handle the form data. But for now, save your work again and then click your submit button. You won't see anything different, but you shouldn't see any error message either!
Once your script has an Action attribute set, you can then Submit it. Which we'll see in the next part.
Related
I am a little new to PHP, and I have gotten in the habit of creating a specific file that handles all the form processing.
For example, I have one PHP file that displays the actual form, let's called it "registration.php" for example, and it specifies as its action "registration-process.php". A user fills out the registration form on registration.php, hits submit, and the data is POSTed to registration-process.php because it was specified as the action file by the form.
Now my question is this: Can't someone who knows what they are doing POST data to registration-process.php without going through registration.php? This would have the potential to lead unexpected consequences.
Is there any way to ensure that registration-process.php will ONLY accept POSTed data from registration.php? Like maybe a hidden field with a value that gets encrypted via some PHP code, and that value gets checked by the registration-process.php file? I wouldn't know how to do that, however, or if that's even the best solution.
Yes, using a hidden "security token" field is a common way to verify a forms integriy. Many public forums are using this method.
Try Google for php form security token or check out this site:
http://css-tricks.com/serious-form-security/
Can you only accept POST data from one location, probably. It is worth it, probably not.
As long as you are validating your form fields correctly (make sure what you're getting is within the realm of what you're expecting) there won't be any negative consequences of leaving it so anything can POST to it.
Also, technically you can send POST data to any file on the web, it just depends on what the file does with it whether or not it means anything.
Also, what Mario Werner is talking about is CSRF tokens. That won't stop other things from posting to your site, it just adds a level of security that makes sure the request came from the right place. For a detailed explanation, you can read this: http://en.wikipedia.org/wiki/Cross-site_request_forgery
I have previously used PHP CURL to submit web forms by using the post URL.
I'm trying to automate the process of logging into a website, I can't change server side code.
The submit button on the HTML form uses the action of javaScript:submitForm() how can I submit information to this form using PHP.
Is CURL still an option?
Thanks!
You'll need to find the function declaration for submitForm and see where it is posting to. Then you can use php and curl to submit.
Edit:
Since the submitForm function doesn't change the form action, you can still use the action in the form tag.
Regardless of how client-side code is crafting the form submit, it still needs to send an HTTP request to the server. If you can do this manually by interacting with the site in question, then capture that request using browser debugging tools (FireBug, Chrome dev tools, etc.). That should have all of the information needed to craft a custom request of your own.
Note, however, that the website in question might have measures in place to prevent something like this. Especially if they're using a framework that handles the form posts for them (such as ASP.NET WebForms or anything like that). They may be emitting a form field to the page which contains a one-time-use token to be validated in the subsequent form submit request. If that's the case, any time you want to craft an automated form submit you'll first need to craft an automated request to parse out that token so you can use it in your submit.
If they take even more involved measures to prevent what you're doing, then you're going to have more of an uphill battle automating it.
I'm preparing my paypal system and have a separate page that forwards the user to paypal. This page currently creates a form with all the needed hidden fields and then submits itself using
<body onload="form1.submit()">
However, when Javascript is not activated, the user gets stuck at this page.
What other method could I possibly use directly in PHP to solve this problem?
Just do the relevant request in PHP, for example using the curl binding.
PHP uses the header() directive, in which you can forward someone to another url. Not sure about your other information. If PayPal allows that to be sent in the GET string, this could work for you. If it has to be POST, then you're probably out of luck.
Or, you can use the cURL library if PayPal returns a url for you to forward the user to.
Another option may be to allow the user to physically click the submit button for the form, and use JS to hide the form itself or something.
PHP runs on your server, so without an intermediate language (like JavaScript), you are out of luck.
When you view a PHP page, the PHP engine runs the code, gets the output, and serves a plain ol' HTML page to the user. The user never interacts directly with the PHP code, only with the output.
As indicated before, you can fall back on a header() redirect with GET parameters.
header('Location: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=youremail#example.com&amount=1¤cy_code=USD');
Just append the URL with any parameters you need in name=value pair format, a list of which you can find here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_Appx_websitestandard_htmlvariables
Why not just provide a more manual solution for users with Javascript disabled?
E.g. if the user has Javascript disabled, just show a submit button where they can manually move themselves along to PayPal?
Presumably, users with Javascript disabled are somewhat accustomed to a lower quality of service across the web.
If a user tries to log in and the login fails the page should display an error message to the user. There are two main ways I see to do this: use a form action on the HTML page and in the php script if the login information is incorrect redirect with header to the login page with a $_GET value like loginfailed. The login page would check for this value and if it exists it would display the error.
The second way I see to do this is not use a form at all and instead use JQuery to capture the submit button press and use AJAX to determine if an error occurs. The php file would echo back a status and the javascript file would interpret it and if it was loginfailed, it would use JQuery to append the error message on to the page.
Now I will go over what I feel the pros and cons of each method are.
Method 1 Pros:
Very simplistic with no need for JQuery, Javascript, and AJAX.
The error status is displayed within the URL as well.
Method 1 Cons:
Since there is a header call, a redirect is necessary. Also, the login page must be reloaded. It is a small page but it is a reload nonetheless.
The status message is displayed in the URL. This means that users can type in status messages in to the URL and receive error messages on the page for errors that did not actually occur. Is this a problem? Maybe. Maybe not.
Method 2 Pros:
Since it is using AJAX, there is no need to load another URL and thus, no extra page is loaded.
This method uses JQuery to update the page with the error message so no redirect is necessary.
The error status is not displayed in the URL.
Method 2 Cons:
Much more complex than the first solution.
An external javascript file is needed and must be loaded every time the login page is accessed regardless of whether or not it is used.
The default behavior of the submit button is overridden and annulled. Its only behavior comes from its interaction with the javascript file.
What would SO do? I would like to stay away from answers such as "it depends on how much traffic your site would have" if that would be at all possible.
Always use the simplest solution possible until/unless there's a very good reason to do otherwise. It's better to finish something that's maybe (and maybe not) less than ideal than to deliver something gold-plated eventually, maybe.
Also, I generally prefer to follow a progressive enhancement strategy, such that everything works without Javascript, and then add Javascript to make it work in an improved manner. This has the added benefit of being functional, even when/where Javascript is disabled.
I think you fail to grasp the matter.
Login is not something self-sufficient. It is used to change state of the site. But with no reload it will not be changed. So, page reload is required anyway. or user will have to do it manually to get access to the authorized section.
Is login the only site feature that uses JQuery/AJAX? If not - why you're worrying about loading this library once, when most likely it will be loaded at every page?
There are still clients with JS disabled, for various reasons. A good web application will always let these clients in, even at cost of less functionality.
The latter is the main question, most important one. Why to choose between two? Why not to use both? - one for compatibility and another for usability?
So, I'd suggest to create basic functionality using GET to pass come codes, not messages.
And optionally improve it with some AJAX bells and whistles but with JS-based reload on succesful login anyway
I am working on a PHP application and missing some of the functionality that Rails has. I currently have an AJAX form that when submitted accesses my_page_save_ajax.php. After I process the form and save it, I would like to redirect the AJAX call to either my_page_show_ajax.php if successful or back to my_page_edit_ajax.php if an error occurred.
I have thought about using an include my_page_..._ajax.php, but I have always had problems with the file paths and PHP not knowing what to render. Not to mention, both of those files include utilities.php and I'm afraid there might be conflicts. I guess I could use include_once but it seems like there might be a more elegant solution.
How can I process the form and return the output of another PHP page?
Thanks very much!
If you redirect the AJAX response, it won't actually redirect the user's browser anywhere. It will simply affect what data comes back through the AJAX call. This may be a good instance to simply not use AJAX, since it sounds like the user may go on only one of two paths.
If you still want to redirect the user, you could send back a javascript snippet which redirects the user via setting window.location