Web lists-archives.com

Re: [PHP] Tutorial on Re-filling form data?




https://www.phpro.org/tutorials/Validating-User-Input.html

On Fri, Jun 23, 2017 at 2:03 PM, Jeffry Killen <jekillen@xxxxxxxxxxx> wrote:

>
> > On Jun 22, 2017, at 6:58 PM, AshleySheridan <ash@xxxxxxxxxxxxxxxxxxxx>
> wrote:
> >
> > On Thu, 2017-06-22 at 19:07 -0400, Aziz Saleh wrote:
> >> On Thu, Jun 22, 2017 at 2:15 PM, leam hall <leamhall@xxxxxxxxx>
> >> wrote:
> >>
> >>>
> >>> Using PHP 5 and not OOP savvy.
> >>>
> >>> I have a form that gives the user options. On submit it calls
> >>> itself
> >>> and if the $_POST variable is set produces the result of the form
> >>> choices. However, it currently resets all the form options to
> >>> default
> >>> values.
> >>>
> >>> Is there a tutorial somewhere on how to keep the existing form
> >>> choices
> >>> in place, unless the user changes the selection and resubmits?
> >>>
> >>> Thanks!
> >>>
> >>> Leam
> >>>
> >>> --
> >>> PHP General Mailing List (http://www.php.net/)
> >>> To unsubscribe, visit: http://www.php.net/unsub.php
> >>>
> >>>
> >> You just want the ability to have the inputs pre-selected based on
> >> user
> >> input? Shouldn't be hard by doing the same thing you did for the
> >> actual
> >> form submit for each input.
> >>
> >> Ex:
> >> <input type="text" id="username" name="username" value="<?php echo
> >> (isset($_POST['username']) ? $_POST['username'] : '';?>" />
> >>
> >> You would do the same with radio/check/select, but in a different
> >> manner of
> >> course.
> >>
> >> Ps: Your email went to spam, thus the late reply.
> >
> > And now you've just introduced an XSS vulnerability into your
> > application. Never, ever, ever trust user input; that includes all form
> > data, cookies, uploads, and even the URL they request. All it takes is
> > one user out of a million to be a dick, and you've got a day of
> > headache and problems to fix, if you're lucky. If you want to use user
> > input in your output, then escape it before outputting it.
> >
> > This goes for all your form fields, select lists are not immune from
> > tampered values.
> >
>
> I would use various input screening techniques before printing the user
> input  back to the
> page, or setting any form element to the value submitted by user.
> The common way is to use regular expressions to screen for hazardous
> characters in the input.
>
> Hazardous characters are any character that is not what would be expected
> from legitimate
> input. But there are also character sequences that could be hazardous.
>
> You can go a long way by inspecting the source of the form input. If it is
> not the url of the
> form itself, it is probably a bogus submission
>
> Have your code look at $_SERVER['HTTP_REFERER']. It should be the valid
> url of the
> form itself. Reject any that aren't, AND  reject any case where there is
> no $_SERVER['HTTP_REFERER']
> value for the submission available.
>
> JK
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>