Web lists-archives.com

Re: [PHP] Tutorial on Re-filling form data?





On 23 June 2017 05:03:09 BST, Jeffry Killen <jekillen@xxxxxxxxxxx> wrote:
>
>> On Jun 22, 2017, at 6:58 PM, AshleySheridan
><ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>> 
>> On Thu, 2017-06-22 at 19:07 -0400, Aziz Saleh wrote:
>>> On Thu, Jun 22, 2017 at 2:15 PM, leam hall <leamhall@xxxxxxxxx>
>>> wrote:
>>> 
>>>> 
>>>> Using PHP 5 and not OOP savvy.
>>>> 
>>>> I have a form that gives the user options. On submit it calls
>>>> itself
>>>> and if the $_POST variable is set produces the result of the form
>>>> choices. However, it currently resets all the form options to
>>>> default
>>>> values.
>>>> 
>>>> Is there a tutorial somewhere on how to keep the existing form
>>>> choices
>>>> in place, unless the user changes the selection and resubmits?
>>>> 
>>>> Thanks!
>>>> 
>>>> Leam
>>>> 
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>> 
>>>> 
>>> You just want the ability to have the inputs pre-selected based on
>>> user
>>> input? Shouldn't be hard by doing the same thing you did for the
>>> actual
>>> form submit for each input.
>>> 
>>> Ex:
>>> <input type="text" id="username" name="username" value="<?php echo
>>> (isset($_POST['username']) ? $_POST['username'] : '';?>" />
>>> 
>>> You would do the same with radio/check/select, but in a different
>>> manner of
>>> course.
>>> 
>>> Ps: Your email went to spam, thus the late reply.
>> 
>> And now you've just introduced an XSS vulnerability into your
>> application. Never, ever, ever trust user input; that includes all
>form
>> data, cookies, uploads, and even the URL they request. All it takes
>is
>> one user out of a million to be a dick, and you've got a day of
>> headache and problems to fix, if you're lucky. If you want to use
>user
>> input in your output, then escape it before outputting it.
>> 
>> This goes for all your form fields, select lists are not immune from
>> tampered values.
>> 
>
>I would use various input screening techniques before printing the user
>input  back to the
>page, or setting any form element to the value submitted by user.
>The common way is to use regular expressions to screen for hazardous
>characters in the input.
>
>Hazardous characters are any character that is not what would be
>expected from legitimate
>input. But there are also character sequences that could be hazardous.
>
>You can go a long way by inspecting the source of the form input. If it
>is not the url of the
>form itself, it is probably a bogus submission
>
>Have your code look at $_SERVER['HTTP_REFERER']. It should be the valid
>url of the
>form itself. Reject any that aren't, AND  reject any case where there
>is no $_SERVER['HTTP_REFERER']
>value for the submission available.
>
>JK
>
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

The referrer can be spoofed, it comes from the browser, so it absolutely cannot be trusted.

Also, as Jamie Zawinski once said:

'Some people, when confronted with a problem, think
"I know, I'll use regular expressions." Now they have two problems'

In this case regular expressions are not what you need for outputting user data to the response page, something like

filter_var($content, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

will work as you need. 

Thanks,
Ash

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php