spookie Posted December 2, 2012 Share Posted December 2, 2012 Hi there, I notice that there are few ways Larry used to check if the from is submitted. 1. Use hidden field 2. REQUEST_METHOD == 'POST' // used most frequently 3. $_POST['submitted'] Is this the matter of personal preference or one method is better than the others? Another question also about the filter_var() function. The parameter which is an array('min_range'=>1). I can't seem to understand it. And it said sometime in the book that a malicious user can attemp to hack a HTML form to send a different value than expected from an <option>. How is it done? Not I want to hack, but just curious how it is done since the form is in the server and the end user is only able to view source. Thank you so much. Link to comment Share on other sites More sharing options...
HartleySan Posted December 2, 2012 Share Posted December 2, 2012 This discussion may shed some light on your question: http://www.vbforums.com/showthread.php?562749-PHP-Checking-if-a-form-has-been-submitted-the-correct-way... To add to the discussion though, I think the potential issue with IE that they bring up only affects pre-IE6 versions, which I personally don't think you need to concern yourself with anymore. Link to comment Share on other sites More sharing options...
spookie Posted December 2, 2012 Author Share Posted December 2, 2012 Thanks Hartley! So according to that thread using hidden field is the most effective including fixing for IE browser. But I'm somewhat skeptical about this over request_method tho. Any explaination for my other questions tho? Link to comment Share on other sites More sharing options...
Edward Posted December 2, 2012 Share Posted December 2, 2012 This discussion may shed some light on your question: http://www.vbforums....-correct-way... To add to the discussion though, I think the potential issue with IE that they bring up only affects pre-IE6 versions, which I personally don't think you need to concern yourself with anymore. Have you tried this technique does it work? Would be very useful if it does! Link to comment Share on other sites More sharing options...
HartleySan Posted December 2, 2012 Share Posted December 2, 2012 Edward, I'm not sure what you mean by "this technique", but the technique outlined in the discussion I linked to works. With that said, I design sites for IE6+, and I can assure you (in fact, I just tested it again in my virtual environment with XP and IE6 to make sure) that using $_POST['submitted'] and simply hitting Enter from any field will work fine. I can't comment on pre-IE6 versions, but IE6-9 are fine. To answer your other two questions, spookie (sorry, I just skipped them for whatever reason): 1) The filter_var function takes an optional third argument, which allows you to further sanitize/filter strings fed to the function. The third argument must be an associative array (i.e., an array with string (not number) keys), and the syntax is fairly fixed. For example, if you want to provide a minimum required value, you have to use the associate array key 'min_value'. To assign a value to an array key in PHP, you use the => operator (not sure what to call it). The value to the right of the => operator is the value assigned to the 'min_value' associative array key (or whatever key you specify). For more info, please see the following: http://php.net/manual/en/function.filter-var.php 2) A "malicious user" could easily hack your site by making a form on their own site/server that submits to the same PHP script as your form. And because HTML is readily viewable, they could easily get all the names and values of fields that are sent via the form. Furthermore, a user doesn't even need to set up a form. They could use cURL or the like to submit values to your posted-form script from anywhere. The point is, it's easy to hack, so you gotta anticipate anything and everything. Hope that all helps. Link to comment Share on other sites More sharing options...
Edward Posted December 2, 2012 Share Posted December 2, 2012 Technique meaning method used by adding the extra hidden value into the forum that's all. Thanks Link to comment Share on other sites More sharing options...
HartleySan Posted December 2, 2012 Share Posted December 2, 2012 Yes, that will of course work, but it's also total overkill unless you insist on supporting IE browsers that have a market share so low you probably can't even measure them. Link to comment Share on other sites More sharing options...
Larry Posted December 3, 2012 Share Posted December 3, 2012 To be clear, the use of a hidden input and testing for $_POST['submitted'] went together (because I would use "submitted" as the name of the hidden form input). However, I tend to use a test for the REQUEST_METHOD almost universally now. It's easier to watch for and doesn't require doing anything to the form. Plus the logic is a bit easier to understand, I think. The only downside is it's not usable when a form uses the GET method. 1 Link to comment Share on other sites More sharing options...
Recommended Posts