Comments on: PHP Form Helper – Submit Listener http://davidwalsh.name/php-form-helper-submit-listener Legendary scribbles about JavaScript, HTML5, AJAX, PHP, CSS, and ∞. Thu, 09 Feb 2012 15:40:33 +0000 hourly 1 http://wordpress.org/?v=3.3 By: cxcxcx32323232http://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-23898 cxcxcx32323232 Fri, 06 May 2011 09:46:57 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-23898 dsf dsfdsfsdf fdsfsdf dsf dsfdsfsdf fdsfsdf

]]> By: René Monroyhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-2223 René Monroy Tue, 08 Jul 2008 20:00:14 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-2223 As expected, it wasn't the script, htaccess 'rewriterule' was causing some conflicts and it's ok now.By the way, thanks for the additional info,Regards As expected, it wasn’t the script, htaccess ‘rewriterule’ was causing some conflicts and it’s ok now.

By the way, thanks for the additional info,

Regards

]]> By: davidhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-2212 david Tue, 08 Jul 2008 11:53:25 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-2212 <p>@René: I've not noticed that. I do know that if a value is empty that MooTools may strip the entire variable out of the POST. Are you sure the form field is being populated?</p> @René: I’ve not noticed that. I do know that if a value is empty that MooTools may strip the entire variable out of the POST. Are you sure the form field is being populated?

]]> By: René Monroyhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-2208 René Monroy Tue, 08 Jul 2008 09:10:33 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-2208 Talking about forms, I'm using mootools to request a php page which I want to have the isset function but... did you notice that elements can´t be handled by isset through ajax by post method? Nevertheless, It seems to be good with get method, well almost, first input disappears to me :SMaybe it's something in my JavaScript function, but without the isset there's no failures, what do you think David, am I wrong or something? Talking about forms, I’m using mootools to request a php page which I want to have the isset function but… did you notice that elements can´t be handled by isset through ajax by post method? Nevertheless, It seems to be good with get method, well almost, first input disappears to me :S

Maybe it’s something in my JavaScript function, but without the isset there’s no failures, what do you think David, am I wrong or something?

]]> By: Tom Dingshttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-274 Tom Dings Fri, 11 Apr 2008 18:22:46 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-274 Great function .. Works like a charm. I did some little modification but it is not worth showing here .. But thanks anyway for your great help. Great function .. Works like a charm. I did some little modification but it is not worth showing here .. But thanks anyway for your great help.

]]> By: Aaron Sarayhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-273 Aaron Saray Fri, 04 Jan 2008 16:31:35 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-273 Ahh! It chopped off the rest of my example.... :( (I showed an xss example... maybe thats why)Basically in summary - I was just saying that make sure you do clean your input before you redisplay... otherwise you could get xss - but I'm assuming you're already doing this. In my method, I store the whiteListed data in a session - and programatically(if thats a word) fill up a $values array on my form page again.Anyways - thanks David for responding - feel free to stop by my blog and leave long winded responses like I've done to you! sorry! :) -aaron Ahh! It chopped off the rest of my example…. :( (I showed an xss example… maybe thats why)

Basically in summary – I was just saying that make sure you do clean your input before you redisplay… otherwise you could get xss – but I’m assuming you’re already doing this. In my method, I store the whiteListed data in a session – and programatically(if thats a word) fill up a $values array on my form page again.

Anyways – thanks David for responding – feel free to stop by my blog and leave long winded responses like I’ve done to you! sorry! :)
-aaron

]]> By: Aaron Sarayhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-272 Aaron Saray Fri, 04 Jan 2008 16:27:40 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-272 Do you clean all of the posted information first before repopulating the page? It could be possible for them to insert a custom type of error into one of the forms, which might error out, and then put content into your page.... think:What if they put: " /> Do you clean all of the posted information first before repopulating the page? It could be possible for them to insert a custom type of error into one of the forms, which might error out, and then put content into your page…. think:

What if they put:
” />

]]> By: davidhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-271 david Thu, 03 Jan 2008 21:48:16 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-271 Thanks for sharing Aaron.I do all the post processing and form/display on one page. It's much easier to put existing form values into place when there is an error (instead of making them type their valid values back in). Thanks for sharing Aaron.

I do all the post processing and form/display on one page. It’s much easier to put existing form values into place when there is an error (instead of making them type their valid values back in).

]]> By: Aaron Sarayhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-270 Aaron Saray Thu, 03 Jan 2008 21:05:45 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-270 I'm a little confused as to the real reason to develop in this method. It seems that you're either: 1) developing all your display and processing in one page or 2) not handling someone surfing directly to your posting script transparently in an already proven wayThis is the method that I use: post.php -- has the form, the tokens embedded -- posts to post.process.phppost.process.php -- checks for embedded token - if not, redirects back to post.php -- has an array of expected - whitelisted data. Checks post variables for all of them in a loop, scrubbing them, and putting them into a clean array -- check clean array for required things. If good, continue, if bad, store error and redirect back to post.php -- after process, redirect to post.success.php (if necessary, post.success could check some sort of session information ot make sure you came from post.process.php... .not always necessary)What user sees: post.php to post.success.php (redirect is usually transparent to user, not to browser, however) on success. post.php to post.php on error.what happens if: user surfs to post.process.php? - redirect to post.php because first check is for the CSRF token - very little overhead and a good method to remember to stay secure user surfs to post.success.php? - might show success message (that is if you haven't set a session variable to redirect them away) but with no real action.I hope this helps...If I'm missing something about your reason for implementation, please let me know. thanks! :) I’m a little confused as to the real reason to develop in this method. It seems that you’re either:
1) developing all your display and processing in one page
or
2) not handling someone surfing directly to your posting script transparently in an already proven way

This is the method that I use:
post.php
– has the form, the tokens embedded
– posts to post.process.php

post.process.php
– checks for embedded token – if not, redirects back to post.php
– has an array of expected – whitelisted data. Checks post variables for all of them in a loop, scrubbing them, and putting them into a clean array
– check clean array for required things. If good, continue, if bad, store error and redirect back to post.php
– after process, redirect to post.success.php (if necessary, post.success could check some sort of session information ot make sure you came from post.process.php… .not always necessary)

What user sees:
post.php to post.success.php (redirect is usually transparent to user, not to browser, however) on success.
post.php to post.php on error.

what happens if:
user surfs to post.process.php? – redirect to post.php because first check is for the CSRF token – very little overhead and a good method to remember to stay secure
user surfs to post.success.php? – might show success message (that is if you haven’t set a session variable to redirect them away) but with no real action.

I hope this helps…

If I’m missing something about your reason for implementation, please let me know. thanks! :)

]]> By: MiBhttp://davidwalsh.name/php-form-helper-submit-listener/comment-page-1#comment-269 MiB Tue, 18 Dec 2007 16:53:59 +0000 http://davidwalsh.name/php-form-helper-submit-listener/#comment-269 Hi!In my opinion josh`s and JGM`s approach are the best ones: you can change names of your form fields, and by sure that your form processor correctly catches submitted data.JGM: it`s better to use stripos() or to check whether the $_POST global variable contains any data (count($_POST)>0).Regards Hi!

In my opinion josh`s and JGM`s approach are the best ones: you can change names of your form fields, and by sure that your form processor correctly catches submitted data.

JGM: it`s better to use stripos() or to check whether the $_POST global variable contains any data (count($_POST)>0).

Regards

]]>