shahab.fm Posted September 19, 2012 Share Posted September 19, 2012 Hi, I am trying to make a form in PHP/HTML for a project. In the first form I get all the information (text & multiple files) and then when the SUBMIT button is pressed I post this to a validation page that checks the enteries with the database (MS SQL) to prevent duplication. The tricks I use in this page is that I copy all the information in a hidden form and Auto-Submit it by a javascript code on page_load. <body onLoad="document.form1.submit();"> However I dont know how to copy the available data in $_FILES ??? I tried this and some other variants (echo) without any luck ... <input name="filesToUpload[]" id="filesToUpload" type="file" multiple="" value="<?php =$_FILES ?>" /> My code for copying other parameters with the help of echo : <form action="<?php echo $url ?>" method="POST" name="form1" enctype="multipart/form-data"> <input type="text" id="komponentid_id" required value="<?php echo $_POST["component_id"]; ?>" name="component_id" minlength="18" maxlength="40" /> <input type="date" name="prod_date" id="prod_date_id" required value="<?php echo $_POST["prod_date"]; ?>" /> <input type="text" id="resept_num_id" required value="<?php echo $_POST["resept_num"]; ?>" name="resept_num" minlength="4" maxlength="25" /> <input type="text" id="wire_batch_ext_id" required value=" <?php echo $_POST["wire_batch_ext"]; ?>" name="wire_batch_ext" minlength="5" maxlength="24" /> <input type="text" id="wire_batch_int_id" required value=" <?php echo $_POST["wire_batch_int"]; ?>" name="wire_batch_int" minlength="8" maxlength="24" /> <input type="text" id="subs_num_ext_id" required value="<?php echo $_POST["subs_num_ext"]; ?>" name="subs_num_ext" minlength="5" maxlength="24" /> <input type="text" id="subs_num_int_id" required value="<?php echo $_POST["subs_num_int"]; ?>" name="subs_num_int" minlength="5" maxlength="24" /> <input type="text" id="comment_id" value="<?php echo $_POST["comment"]; ?>" name="comment" minlength="0" maxlength="500" /> <input type="text" id="error_id" value="<?php echo $error; ?>" name="error" minlength="0" maxlength="500" /> <input name="filesToUpload[]" id="filesToUpload" type="file" multiple="" value="<?php echo $_FILES ?>" /> <input type="text" id="error_code_id" value="<?php echo $error_code; ?>" name="error_code" minlength="0" maxlength="500" /> <input type="submit" value="Upload" /> </form> Quote Link to comment Share on other sites More sharing options...
Christian F. Posted September 19, 2012 Share Posted September 19, 2012 No, just no. This is not a good method at all, and all it does is add complexity without any form of extra security. In fact, it'll fail outright if the user doesn't have JS available for any reason. Not to mention it's really easily spoofed. The first rule of dealing with user input is: "Never trust the user." By having part of the security routines happen on the client side, you're trusting the user. Have all validation happen on the client-side instead, and if you want to prevent CSRF (and similar) attacks, then you'll need to use a one-time token in the form instead. To prevent duplication, have the PHP code check the database between input validation and the database insertion. If data is duplicated, show a warning message just like you'd do if some of the input failed validation. You can even add a AJAX call whenever a field changes, to streamline the process. That way the user doesn't have to post the entire form before s/he learns about duplicated data. Just remember that JS is never for security, only for making things easier for the user. Quote Link to comment Share on other sites More sharing options...
requinix Posted September 19, 2012 Share Posted September 19, 2012 As for the question of copying the file in the new form, you can't. I'd advise you to make the user upload the file again, or else make the file upload a separate part of the process which the user will only reach once the rest of the form is complete and valid. If this were necessary you'd have to store the file someplace temporarily (making sure to clean up unused files after a file) and securely (so people can't just see whatever files are there), uniquely identify the file in a hidden form field (because you can't make the user upload a file without them taking some action) and also securely (don't want people fiddling with the input to make your script think it should be the wrong file), then fetch and delete that file when the form is complete, or delete it if they upload a new file with the new form (assuming you're designing a UI nice enough to allow that). Quote Link to comment Share on other sites More sharing options...
coded4u Posted September 19, 2012 Share Posted September 19, 2012 WOW! That has to be the worst method ever. Due to the posted data not being checked for any bad strings you're putting your website at high risk. You need to clean up the posted data before doing anything. Also, i recommend using ajax to post your data, not page flicker. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.