I'm designing an e-commerce site where I have no access to the server-side code at all. It's an off the shelf thing. Anyway, I despise forms with labels. They're the ugliest things on the planet.
I want form values which delete onfocus and reappear onblur etc. However, due to having no access to the PHP, I can't validate the form so it won't send when "Email Address" is typed in etc.
Is there any way around this without access to the PHP?
You can also do it with CSS+Javascript
Position the Label over the textBox in JS so that if JS is disabled, the label will be somewhere else and hide it onFocus.
This way your textBox are always empty by default.
You should also do form validation in JS.
If you really have no access to the server, javascript is pretty much your only answer. You could get really clever and have a proxy or something that intercepts traffic and re-writes the webpage, but that would require access to the network of anyone who will be using this site.
The javascript solution will require the client to take some action (i.e. a greasemonkey script they have to install).
If you want form values appear on onfocus event etc. it's ONLY possible throught javascript and has nothing to do with server side code.
If you want form validation, then this MUST be done on server side (PHP) and SHOULD be done in client side (javascript), for better user experience.
And what do you mean that you don't have access to source files? How can you modify even the client side then (other than for yourself)?
Related
I have previously used PHP CURL to submit web forms by using the post URL.
I'm trying to automate the process of logging into a website, I can't change server side code.
The submit button on the HTML form uses the action of javaScript:submitForm() how can I submit information to this form using PHP.
Is CURL still an option?
Thanks!
You'll need to find the function declaration for submitForm and see where it is posting to. Then you can use php and curl to submit.
Edit:
Since the submitForm function doesn't change the form action, you can still use the action in the form tag.
Regardless of how client-side code is crafting the form submit, it still needs to send an HTTP request to the server. If you can do this manually by interacting with the site in question, then capture that request using browser debugging tools (FireBug, Chrome dev tools, etc.). That should have all of the information needed to craft a custom request of your own.
Note, however, that the website in question might have measures in place to prevent something like this. Especially if they're using a framework that handles the form posts for them (such as ASP.NET WebForms or anything like that). They may be emitting a form field to the page which contains a one-time-use token to be validated in the subsequent form submit request. If that's the case, any time you want to craft an automated form submit you'll first need to craft an automated request to parse out that token so you can use it in your submit.
If they take even more involved measures to prevent what you're doing, then you're going to have more of an uphill battle automating it.
If I have a form, say a simple contact me form with inputs for name, email, message, etc. And I have the form set to submit using Ajax after the JavaScript validation has returned true on all inputs.
Do I still need to validate the inputs using PHP? If JavaScript is turned off, how could the form still submit? And if the form can't submit because the JavaScript is off, how could that cause any harm?
Of course you need server-side validation! :-)
It's always needed.
Just install this add-on: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/.
It lets you freely modify what goes to the server.
Also, Firebug lets you modify what the browser sees, therefore submits to the server.
Here is an analogy: banks have locks on their safes. But they also have security cameras, and alarm systems, in case the locks fail to stop someone from stealing.
EDIT:
If you are using a contact form (and the script automatically email the person contacting), keep in mind that someone could make your script send 1000's of spam messages, simply by adding addresses to the email field.
To avoid this, you need to do server-side validation. You simply cannot rely on client-side validation.
It's best to do validation at server-side as end-user can do more than just turn on/off JavaScript.
As JavaScript is available at client-side, a malicious user can alter the client-side validation to make malicious inputs pass the client-side validation.
It's always better to trust inputs that are server-side validated than trusting users to not alter JavaScript behavior.
You should always use backend validation to sanitise the user input regardless of the presence of front end validation.
While you are correct that the form cannot be submitted with Javascript disabled it could still be submitted by a person with malicious intent by simply sending a POST request to the URL which you use.
I think it's better to have both validation types, every time: client-side (using JavaScript, so no Ajax call is made to the browser) and server-side (using PHP validations).
The form can still be submitted using the Firebug console or other kind of hacks.
A normal user can't do that but... still. If there's a chance it can be done, you shouldn't risk it.
Anyone can submit form to your URL with any data. Even from localhost
So server side validation is a must
I've developed a web application in PHP and MySQL. One part of the system I've been putting on hold for a while now, is allowing my users to create a simple form inside my application, and once they're done, copy and paste some code which I generate into their existing remote websites (IE: Contact Form) where this form should appear.
When visitors to their site enter their data into that "contact form" or whatever they've created, it should save the info into my application database where the users will be able to access it. It must be unobtrusive.
Is there anyone who can give me a good starting point on how to achieve this?
Im a little confused on what youre asking. Are you asking if there is a way to automatically copy the generated form to the clipboard, or how you set the form up to allow it to post data back to your own server?
If its the former, Bradley above pretty much explained it. If its the latter, then there are a couple of ways that you can go about doing it.
If you want it to submit the form without actually redirecting back to your own site, then you need to submit the form via AJAX (read XMLHttpRequest, or the $.ajax() function if youre using jQuery). The only problem here is that it violates the same origin policy since youd be submitting from a different domain. To fix this, you need to setup your webserver to allow cross domain requests so that it'll actually work.
JavaScript cannot access the clipboard to save (copy) text to memory. A general way around this is to use an invisible flash movie and place it over an input button so that 'clicking' the button triggers the flash script, which can utilize the clipboard.
I've used ZeroClipBoard in the past to do this, and I believe some of the syntax highlighting plugins out there use it as well.
http://code.google.com/p/zeroclipboard/
For a system I'm working on I've got a bit of a problem: I'm messing with one of the basic rules of HTTP and I'm allowing users to post data through a GET request.
Don't get mad at me yet: I've got a reason for this: Users arrive in my application from an external environment and I can't prompt them for any extra input (so all necessary data is in the GET query). They should be able to close the browser window right after it opens and the input should be saved. And no, I can't do this through AJAX, an API or other under-the-hood method.
These requirements kind of rule out captcha, calculations, forms etc. So I'm left with the problem that I really do want some type of verification to prevent bots/crawlers from "accidentally" submitting something.
One of the solutions I am looking into is making a very lightweight landing page that submits itself through javascript onload but it would be the ugliest thing in my application so I'm trying to prevent it. Another is to let the landingpage not do any of the processing but instead use an AJAX-call to do this. This would however mean that older browsers (and many mobile phones) would have to use another solution.
Background: Application written in PHP5.3, built on Yii Framework, 100% cross-browser compatible (this includes pretty much every mobile phone out there).
Some more background: The "exteral environments" I'm talking about vary from e-mail clients to websites. Manipulation of our content at runtime isn't possible.
Update: Here's what I'm going to do: I'm probably going to combine solutions posted here in a fallback mechanism so that a chain of verifications will be attempted:
1. Ajax verification
2. Non-Ajax javascript verification (automatic form submission)
3. Prompt for user input (user has to click a confirm button)
Besides this I'm going to implement a bot trap as descripbed by http://www.kloth.net/internet/bottrap.php
After I'm done with building this I'll update the post if I did anything different.
Hard to understand where you app is and where external environment really are. But one simple bot-removal technique I use is to put an hidden field named 'login' or 'name' and give it an empty value.
Human people will never fill this hidden field, but spam bots are always filling it. So you can discard any request with that field being not empty.
Now you must prevent crawlers and not only spam bots. Never did it, but here are some thoughts. You could add a hidden 'human' hidden input in the form on first mouseMove events (but keyboard-only -- and think about blind people -- users will be considered as robots). So maybe if this field is not there you can launch a javascript 'confirm' where you ask "Confirm that you are a robot or click cancel if you are human".
You can make your anchor link containing a default value that this hidden field values will overwrite in js. Most crawlers will not overwrite the values, especially if you must cancel a confirmation to get the right behavior (and avoid confirmation with mouseMove event for most users).
If you are able to modify the place that your users are coming fro, you could try including a checksum. Calculate some kind of checksum or hash of all the fields in the GET request and add it to the GET request itself (i.e. through javascript, but do it in the place your users are coming from, not where they are landing). Then, in your application, reject all hits with an incorrect checksum.
So I am very new to this concept.
So why not go headfirst :) Some things I don't understand;
What happens if js is disabled?
If using mysql databases (ie; checking forms and such) why not just use php?
To confirm what others have said, disabling Javascript will also disable the AJAX call. After all, AJAX stands for "Asynchronous Javascript and XML".
To address why you can't just use PHP, there are some things that just can't be done without it. PHP is great to load the page with the initial information, but after the page is loaded, it actually requires the page to be reloaded to load something else. AJAX allows you to get around this hassle.
For your example of form validation, AJAX can be used to validate the information while the person is filling it out. Otherwise, you are required to reload the page each time someone fills out another field in the form.
Another example is from a project that I have worked on. The form required a zip code and would load the appropriate city and county based on the inputted zip. Using strict PHP, I would need the client to download the entire zip table embedded in the HTML/JS (which would add another 100k at least to the download).
Using AJAX, I can get around this. The user can input the zip code, which triggers an AJAX call that downloads the few rows that I need (this will be less than a few hundred bytes, for comparison).
[Edit:] Also, a tip because you said that you were new to AJAX. If your dealing with some form of authentication (logging in, etc.), remember to validate the user on the AJAX pages themselves. Otherwise, tricky users will be able to access sensitive information for your database.
Ajax just adds to the user experience and allows a web application to feel more like a desktop application to users. So they can delete a record and stay on the same page without reloading, you just let the record disappear.
And remember to validate on the server-side, even if you validate on client-side. Your weakest at your client-side as someone can easily just submit the values straight to your script so ALWAYS check on the server-side and do client-side if you would like to add some nice effects etc.
But you will always need to keep in mind that there are people out there who have javascript disable be it a security policy or just because their paranoid. So when you don't have JS enabled you javascript and AJAX requests won't work. So while developing you will need to make sure that if javascript is not their to do the operation that the form is submitted just like a normal HTTP form, this will allow all those paranoid people to also use your application :D.
OR you could always just deny access to those who don't have Javascript enabled but that's not very nice ... So if you want to check if they have javascript enabled checkout - http://www.w3schools.com/TAGS/tag_noscript.asp - for a example.
AJAX is a Javascript client based technology. If js is disable it simply doesn't work.
Php is a server based technology.
In Php you write pages that are dinamically built by the server. Once built they are sent as html to the client.
Using javascript (and Ajax) you can call the server just to request some datas (hint: look at JSON) or just a little html snippet which is plugged in the current page directly by the browser without requesting a full refresh from the server.
With js and AJAX you can achieve a very rich client experience without reloading a full page every time.
I believe nothing will happen if js is disabled. You need js to grab the data.
If you want to use mysql databases, you can use js to access a php script, which can then return any data gathered from a database, rather than doing it in the page.
AJAX is a way for Javascript (client side) to access PHP/ASP/Whatever serverside language you are using. This means, that if you have an PHP script for getting some data from your MySQL database, and want to run that script when the user clicks some random button, AJAX can do that (async)m and you wont have to reload you page to execute the PHP script.
If Javascript is diabled, AJAX won't work.