doubledee Posted September 2, 2011 Share Posted September 2, 2011 How do you display non-editable data that is part of a larger form? For instance, I have an "Add a Comment" for with... =========================== * Article Title (non-editable) * Name (non-editable) * Comment (editable) Submit button =========================== Do I just make a Form with one Input field for the editable field?! And then make the first two "fields" stylized <p> tags?? Debbie Quote Link to comment Share on other sites More sharing options...
xyph Posted September 2, 2011 Share Posted September 2, 2011 If you want them to be passed along with the form, why not use a hidden input? <input type="hidden" name="article" value="12345"> Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted September 2, 2011 Share Posted September 2, 2011 you can add 'hidden' input. <form action='somepage.php' method='post'> <input type='hidden' name='articletitle' value='yourvalue' /> <input type='hidden' name='name' value='yourvalue' /> <input type='text' name='comment' value='make a comment' /> <input type='submit' /> </form> If you want them to be passed along with the form, why not use a hidden input? <input type="hidden" name="article" value="12345"> beat me to it. Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 If you want them to be passed along with the form, why not use a hidden input? <input type="hidden" name="article" value="12345"> Just for reference, how "hidden" is "hidden"? I thought it can be seen if you do "Page View" in the HTML? Debbie Quote Link to comment Share on other sites More sharing options...
cssfreakie Posted September 2, 2011 Share Posted September 2, 2011 Just for reference, how "hidden" is "hidden"? I thought it can be seen if you do "Page View" in the HTML? Not sure what you are exactly trying to do here, but "hidden" is indeed view-able in the source. (and can be altered so can not be trusted as is) If you want to display a title but you don't want anyone to alter it. Just display it the way you want. Btw instead of using hidden you might want to use the following: <form action="" method="post"> <input type="text" name="monkeys" value="gorilla" disabled="disabled"/> <input type="text" name="color" value="brown" /> </form> so give this a try (disabled="disabled") Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 Just for reference, how "hidden" is "hidden"? I thought it can be seen if you do "Page View" in the HTML? Not sure what you are exactly trying to do here, but "hidden" is indeed view-able in the source. (and can be altered so can not be trusted as is) Just asking because a lot of people think "hidden" means "secret" and I didn't think that was true. If you want to display a title but you don't want anyone to alter it. Just display it the way you want. Btw instead of using hidden you might want to use the following: <form action="" method="post"> <input type="text" name="monkeys" value="gorilla" disabled="disabled"/> <input type="text" name="color" value="brown" /> </form> so give this a try (disabled="disabled") Well, what do you think is the best way? The "Title" and "Name" are more there for the user so they know what they are commenting on and realize that the comment they type will be attributed to them. Right now I am just doing this... <!-- Article Title --> <li> <p class="fauxLabel">Article Title:</p> <p class="fauxInput"><?php echo '"' . (isset($pageTitle) ? $pageTitle : "") . '"'; ?></p> </li> Not sure I need the isset... Debbie Quote Link to comment Share on other sites More sharing options...
cssfreakie Posted September 2, 2011 Share Posted September 2, 2011 Well, what do you think is the best way? well that's like asking what is better coffee or thee? It depends on what you want and how you want it to look. There is no best way as far I can see. Just do something that makes sense to you and your end-users. Try that disabled attribute out and see if you like it. As far as using (isset) check the manual, for the explanation given. In a nutshell you check if a variable is set. You do that because if you don't check that and you echo out a variable that is not set you get an error. $setvariable = 'blablabla'; echo $notsetvariable; // will produce an error echo $setvariable; Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 Well, what do you think is the best way? well that's like asking what is better coffee or thee? It depends on what you want and how you want it to look. There is no best way as far I can see. Just do something that makes sense to you and your end-users. Try that disabled attribute out and see if you like it. It would make styling easier. (I assume it is fairly hard to hack?) As far as using (isset) check the manual, for the explanation given. In a nutshell you check if a variable is set. You do that because if you don't check that and you echo out an variable that is not set you get an error. $setvariable = 'blablabla'; echo $notsetvariable; // will produce an error echo $setvariable; Good point! Debbie Quote Link to comment Share on other sites More sharing options...
cssfreakie Posted September 2, 2011 Share Posted September 2, 2011 (I assume it is fairly hard to hack?) i have no idea what you mean with that. You mean hacking as in sneaky people that alter it and screw up the result? No that is as easy as changing hidden fields or getting a beer out of the fridge. if you mean to hack your code to add this attribute, that is easy too, just change your code a little. Keep in mind, you know what you expect,.. (right?) all you want the end-user to do is add a comment I guess and not change the title. So when you query the database don't use the value of the hidden/disabled fields. easy not?? It all boils down to logic. What do you expect from your user? SO what fields do you allow or accept the values from? Style your form the way you want. There is no best (or better) way apart from some design and accessibility standards. Just have some guts and go for it. and ask your end-user for feed back or allow them to easily provide it to you. Listen to the customer... Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted September 2, 2011 Share Posted September 2, 2011 I don't see why the title and user names should be placed in visible inputs at all. If a user sees a textbox, they're going to think the value inside is editable. Having them not be editable will only lead to frustration for the end user. Your best bet is to use form inputs only for what you want the user to submit their own data with. Data that wires up your db tables - like article id and user id (please tell me you're not trying to submit a comment based on their name) - is better sent along in hidden inputs. Finally, setting a form input to 'disabled' has no security benefit whatsoever. Your HTML source will always be visible to the curious, and you can safely assume that anyone trying to harm your system is capable of making their own form with the names of your inputs, with its action attribute set as your form handler script. Quote Link to comment Share on other sites More sharing options...
xyph Posted September 2, 2011 Share Posted September 2, 2011 If there are articles that you don't want some users to make comments on, you'll have to do that check separately. There's no way to lock down variables you are going to expect from a user. They always have to be verified, and assume there's going to be malicious data. Even if you stored this value in a session for some odd reason it could be manipulated by viewing a different article in a different tab. Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 (I assume it is fairly hard to hack?) i have no idea what you mean with that. You mean hacking as in sneaky people that alter it and screw up the result? No that is as easy as changing hidden fields or getting a beer out of the fridge. if you mean to hack your code to add this attribute, that is easy too, just change your code a little. Scary... Keep in mind, you know what you expect,.. (right?) all you want the end-user to do is add a comment I guess and not change the title. So when you query the database don't use the value of the hidden/disabled fields. easy not?? True. It all boils down to logic. What do you expect from your user? SO what fields do you allow or accept the values from? Style your form the way you want. There is no best (or better) way apart from some design and accessibility standards. Okay. Just have some guts and go for it. Easy for you to say?! and ask your end-user for feed back or allow them to easily provide it to you. Listen to the customer... True, except users won't like say, "Hey, I found this gaping security hole, and by the way, you should have used a more secure architecture..." Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 I don't see why the title and user names should be placed in visible inputs at all. If a user sees a textbox, they're going to think the value inside is editable. Having them not be editable will only lead to frustration for the end user. Well, right now I'm just using styled <p> that look like form Inputs. I guess I could remove the border so it is more clear that these first two fields are for informational purposes only. Your best bet is to use form inputs only for what you want the user to submit their own data with. Data that wires up your db tables - like article id and user id (please tell me you're not trying to submit a comment based on their name) - is better sent along in hidden inputs. You mean Name isn't enough?! No, this relates to other threads I started... Right now I am storing the "articleID" in a SESSION after they click on an article to read. And then when they click "Log In" so they can comment on said article, I store "memberID" in SESSION. Then I capture the "comment" in this form, and then I have the Key Values and Comment to do an INSERT. Could I use hidden fields to do this also? Yes. But I think I'm just going to use the key values stored in my SESSION unless someone finishes some conversations I started earlier that never really were brought to closure. (I am also re-writing this entire process flow tonight and hoping to code things a little better. Stay tuned!!) Finally, setting a form input to 'disabled' has no security benefit whatsoever. Your HTML source will always be visible to the curious, and you can safely assume that anyone trying to harm your system is capable of making their own form with the names of your inputs, with its action attribute set as your form handler script. And that means? How can I counter that? Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 If there are articles that you don't want some users to make comments on, you'll have to do that check separately. Each article is displayed on it's own page and at the bottom I have... ====================== What Do You Think? To add a comment you must... *Log In* or *Create an Account* -------------------------------------------------------------- John Doe 9/1/2011 That article was awesome! ---------------------------------------- Dan Web 8/31/2011 You brought up some good points. ====================== There's no way to lock down variables you are going to expect from a user. They always have to be verified, and assume there's going to be malicious data. But how do you sanitize and validate a comments field?! (Not exactly like "Age"?!) Even if you stored this value in a session for some odd reason it could be manipulated by viewing a different article in a different tab. And so that means what? What do I need to do to be more secure? (It should be noted that I have to approve all comments before they are listed.) Debbie Quote Link to comment Share on other sites More sharing options...
xyph Posted September 2, 2011 Share Posted September 2, 2011 Assuming there's no way to inject SQL commands, and you're preventing HTML from being displayed, you should be fine from a security standpoint. If people want to mess with variables that tell you where the comments are going, who cares? It's even MORE secure if you're approving before displaying Quote Link to comment Share on other sites More sharing options...
doubledee Posted September 2, 2011 Author Share Posted September 2, 2011 Assuming there's no way to inject SQL commands, and you're preventing HTML from being displayed, you should be fine from a security standpoint. If people want to mess with variables that tell you where the comments are going, who cares? It's even MORE secure if you're approving before displaying Okay, so it sounds like what I am doing is okay. Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.