|
Posted by Gordon Burditt on 06/24/06 19:31
>I'm trying to implement a simple server-side form validation (No
>Javascript). If the user submits a form with errors, I want to
>redisplay the same form with the errors highlighted. Once the form is
>correct I need to submit to another page that uses the form data.
That would seem to make the validation trivial to bypass, unless,
of course, you validate it AGAIN in the page that uses the form data.
What is the purpose of this validation again?
>I first tried making the form submit action= field point to the same
>file. When the form was correct, I tried loading the next page by using
><META http-equiv refresh>. But that doesn't post the data, so the next
>page didn't have access to it.
You can't redirect a POST. And if the data goes through the user's
browser, you can't trust it without validating it again.
>Then I tried changing the action= field of the form to an a PHP echo. I
>would echo a variable that was set to either "ThisSamePage.PHP" or
>"TheNextPage.PHP", depending on whether the validation was correct. The
>problem is that the user has to press Submit an extra time once the
>form is correct, since the form was still displayed with the action
>equal to "TheNextPage.PHP"
>
>I have looked for some way to submit the form directly from PHP code,
>but I don't know enough about PHP yet.
PHP can't control the user's browser like that, which is a good
thing. This issue is one reason why Javascript is often Turned Off(tm).
>I think I need some way to cause a Post action from PHP code, so I can
>get to the next page without redisplaying the form and having the user
>click submit again.
It's possible to hit a page directly from the server with CURL, but
I'd advise against this. Do the validation and processing in ONE
hit.
>Or is there a better way to structure this type of validation that
>avoids this issue?
Validate the input, then process it in the SAME hit. Perhaps use
include(), but make sure the include()d file cannot be hit directly.
Gordon L. Burditt
[Back to original message]
|