Jump to content

Display Non-Editable Data

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

How do you display non-editable data that is part of a larger form?

 

For instance, I have an "Add a Comment" for with...

 

===========================

* Article Title (non-editable)

* Name (non-editable)

* Comment (editable)

 

Submit button

===========================

 

Do I just make a Form with one Input field for the editable field?!

 

And then make the first two "fields" stylized <p> tags??  :confused:

 

 

Debbie

 

 

Link to comment
https://forums.phpfreaks.com/topic/246240-display-non-editable-data/
Share on other sites
MasterACE14 Advanced Member

MasterACE14

Posted
Posted

you can add 'hidden' input.

<form action='somepage.php' method='post'>
<input type='hidden' name='articletitle' value='yourvalue' />
<input type='hidden' name='name' value='yourvalue' />
<input type='text' name='comment' value='make a comment' />
<input type='submit' />
</form>

 

If you want them to be passed along with the form, why not use a hidden input?

 

<input type="hidden" name="article" value="12345">

beat me to it. :P

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

If you want them to be passed along with the form, why not use a hidden input?

 

<input type="hidden" name="article" value="12345">

 

Just for reference, how "hidden" is "hidden"?

 

I thought it can be seen if you do "Page View" in the HTML?

 

 

Debbie

 

cssfreakie Regular Member

cssfreakie

Posted
Posted

Just for reference, how "hidden" is "hidden"?

 

I thought it can be seen if you do "Page View" in the HTML?

 

Not sure what you are exactly trying to do here, but "hidden" is indeed view-able in the source. (and can be altered so can not be trusted as is)

If you want to display a title but you don't want anyone to alter it. Just display it the way you want.

Btw instead of using hidden you might want to use the following:

 

<form action="" method="post">
                <input type="text" name="monkeys" value="gorilla" disabled="disabled"/>
                <input type="text" name="color" value="brown" />
            </form>

 

so give this a try (disabled="disabled")

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Just for reference, how "hidden" is "hidden"?

 

I thought it can be seen if you do "Page View" in the HTML?

 

Not sure what you are exactly trying to do here, but "hidden" is indeed view-able in the source. (and can be altered so can not be trusted as is)

 

Just asking because a lot of people think "hidden" means "secret" and I didn't think that was true.

 

 

If you want to display a title but you don't want anyone to alter it. Just display it the way you want.

Btw instead of using hidden you might want to use the following:

 

<form action="" method="post">
                <input type="text" name="monkeys" value="gorilla" disabled="disabled"/>
                <input type="text" name="color" value="brown" />
            </form>

 

so give this a try (disabled="disabled")

 

Well, what do you think is the best way?

 

The "Title" and "Name" are more there for the user so they know what they are commenting on and realize that the comment they type will be attributed to them.

 

Right now I am just doing this...

 

<!-- Article Title -->
<li>
<p class="fauxLabel">Article Title:</p>
<p class="fauxInput"><?php echo '"' . (isset($pageTitle) ? $pageTitle : "") . '"'; ?></p>
</li>

 

Not sure I need the isset...

 

 

Debbie

 

 

cssfreakie Regular Member

cssfreakie

Posted
Posted
Well, what do you think is the best way?

 

well that's like asking what is better coffee or thee? It depends on what you want and how you want it to look. There is no best way as far I can see. Just do something that makes sense to you and your end-users.

 

Try that disabled attribute out and see if you like it.

 

As far as using (isset) check the manual, for the explanation given. In a nutshell you check if a variable is set. You do that because if you don't check that and you echo out a variable that is not set you get an error.

 

$setvariable = 'blablabla';

echo $notsetvariable;  // will produce an error
echo $setvariable;

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Well, what do you think is the best way?

 

well that's like asking what is better coffee or thee? It depends on what you want and how you want it to look. There is no best way as far I can see. Just do something that makes sense to you and your end-users.

 

Try that disabled attribute out and see if you like it.

 

It would make styling easier.

 

(I assume it is fairly hard to hack?)

 

 

As far as using (isset) check the manual, for the explanation given. In a nutshell you check if a variable is set. You do that because if you don't check that and you echo out an variable that is not set you get an error.

 

$setvariable = 'blablabla';

echo $notsetvariable;  // will produce an error
echo $setvariable;

 

Good point!

 

 

Debbie

 

cssfreakie Regular Member

cssfreakie

Posted
Posted
(I assume it is fairly hard to hack?)

i have no idea what you mean with that. You mean hacking as in sneaky people that alter it and screw up the result? No that is as easy as changing hidden fields or getting a beer out of the fridge.

 

if you mean to hack your code to add this attribute, that is easy too, just change your code a little.

 

Keep in mind, you know what you expect,.. (right?) all you want the end-user to do is add a comment I guess and not change the title. So when you query the database don't use the value of the hidden/disabled fields. easy not??

 

It all boils down to logic. What do you expect from your user? SO what fields do you allow or accept the values from? Style your form the way you want. There is no best (or better) way apart from some design and accessibility standards. Just have some guts and go for it. and ask your end-user for feed back or allow them to easily provide it to you. Listen to the customer...

KevinM1 Advanced Member

KevinM1

Posted
Posted

I don't see why the title and user names should be placed in visible inputs at all.  If a user sees a textbox, they're going to think the value inside is editable.  Having them not be editable will only lead to frustration for the end user.

 

Your best bet is to use form inputs only for what you want the user to submit their own data with.  Data that wires up your db tables - like article id and user id (please tell me you're not trying to submit a comment based on their name) - is better sent along in hidden inputs.

 

Finally, setting a form input to 'disabled' has no security benefit whatsoever.  Your HTML source will always be visible to the curious, and you can safely assume that anyone trying to harm your system is capable of making their own form with the names of your inputs, with its action attribute set as your form handler script.

xyph Advanced Member

xyph

Posted
Posted

If there are articles that you don't want some users to make comments on, you'll have to do that check separately.

 

There's no way to lock down variables you are going to expect from a user. They always have to be verified, and assume there's going to be malicious data.

 

Even if you stored this value in a session for some odd reason it could be manipulated by viewing a different article in a different tab.

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

(I assume it is fairly hard to hack?)

i have no idea what you mean with that. You mean hacking as in sneaky people that alter it and screw up the result? No that is as easy as changing hidden fields or getting a beer out of the fridge.

 

if you mean to hack your code to add this attribute, that is easy too, just change your code a little.

 

Scary...

 

 

Keep in mind, you know what you expect,.. (right?) all you want the end-user to do is add a comment I guess and not change the title. So when you query the database don't use the value of the hidden/disabled fields. easy not??

 

True.

 

 

It all boils down to logic. What do you expect from your user? SO what fields do you allow or accept the values from? Style your form the way you want. There is no best (or better) way apart from some design and accessibility standards.

 

Okay.

 

 

Just have some guts and go for it.

 

Easy for you to say?!  :P

 

 

and ask your end-user for feed back or allow them to easily provide it to you. Listen to the customer...

 

True, except users won't like say, "Hey, I found this gaping security hole, and by the way, you should have used a more secure architecture..."  ;D

 

 

Debbie

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

I don't see why the title and user names should be placed in visible inputs at all.  If a user sees a textbox, they're going to think the value inside is editable.  Having them not be editable will only lead to frustration for the end user.

 

Well, right now I'm just using styled <p> that look like form Inputs.

 

I guess I could remove the border so it is more clear that these first two fields are for informational purposes only.

 

 

Your best bet is to use form inputs only for what you want the user to submit their own data with.  Data that wires up your db tables - like article id and user id (please tell me you're not trying to submit a comment based on their name) - is better sent along in hidden inputs.

 

You mean Name isn't enough?!  :confused:  ;D

 

No, this relates to other threads I started...

 

Right now I am storing the "articleID" in a SESSION after they click on an article to read.  And then when they click "Log In" so they can comment on said article, I store "memberID" in SESSION.  Then I capture the "comment" in this form, and then I have the Key Values and Comment to do an INSERT.

 

Could I use hidden fields to do this also?  Yes.  But I think I'm just going to use the key values stored in my SESSION unless someone finishes some conversations I started earlier that never really were brought to closure.

 

(I am also re-writing this entire process flow tonight and hoping to code things a little better.  Stay tuned!!)

 

 

Finally, setting a form input to 'disabled' has no security benefit whatsoever.  Your HTML source will always be visible to the curious, and you can safely assume that anyone trying to harm your system is capable of making their own form with the names of your inputs, with its action attribute set as your form handler script.

 

And that means?  How can I counter that?

 

 

Debbie

 

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

If there are articles that you don't want some users to make comments on, you'll have to do that check separately.

 

Each article is displayed on it's own page and at the bottom I have...

 

======================

What Do You Think?

To add a comment you must...

 

*Log In* or *Create an Account*

--------------------------------------------------------------

John Doe

9/1/2011

That article was awesome!

 

----------------------------------------

Dan Web

8/31/2011

You brought up some good points.

======================

 

 

 

There's no way to lock down variables you are going to expect from a user. They always have to be verified, and assume there's going to be malicious data.

 

But how do you sanitize and validate a comments field?!  (Not exactly like "Age"?!)

 

 

Even if you stored this value in a session for some odd reason it could be manipulated by viewing a different article in a different tab.

 

And so that means what?  What do I need to do to be more secure?

 

(It should be noted that I have to approve all comments before they are listed.)

 

 

 

Debbie

 

 

 

xyph Advanced Member

xyph

Posted
Posted

Assuming there's no way to inject SQL commands, and you're preventing HTML from being displayed, you should be fine from a security standpoint.

 

If people want to mess with variables that tell you where the comments are going, who cares?

 

It's even MORE secure if you're approving before displaying

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Assuming there's no way to inject SQL commands, and you're preventing HTML from being displayed, you should be fine from a security standpoint.

 

If people want to mess with variables that tell you where the comments are going, who cares?

 

It's even MORE secure if you're approving before displaying

 

Okay, so it sounds like what I am doing is okay.

 

Thanks,

 

 

Debbie

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.