Jump to content

Safe to use two forms and hidden inputs?


StevenOliver

Recommended Posts

Customers visit a "select merchandise page."
Their list of items is displayed (merchandise SKU numbers). The displayed list of their expands as they add more stuff.
When they're done, they create a packing slip that appears on a new "finished.php" page.

Question: Is using 2 forms and hidden inputs the secure and accepted way to do this?

--------------------------------------------------------
<?php
$added = $_POST["added"] . ',' . $_POST["more-stuff"];
echo "Here is what's been added: $added"; // item 1, item 2, item 3, etc.
?>

<form method="post" action="<?=$SERVER['PHP_SELF']?>">
<input type="text" name="added">
<input type="hidden" name="more-stuff" value="<?=$added?>">
</form>

When finished, click here to create Packing Slip:

<form method="post" action="finished.php">
<input type="submit" value="CREATE PACKING SLIP">
<input type="hidden" name="finished" value="<?=$added?>">
</form>
--------------------------------------------------------

Thank you!!

 

Link to comment
Share on other sites

 external data can be anything and cannot be trusted. you have to validate all external data before using it, so, you should submit/pass a minimum of information through a form. by using a hidden field, you will have to validate the original data and then re-validate all the hidden field data before using it.

when items are selected, the item id (sku) and quantity should be the only information that gets submitted and should be stored in a 'cart' on the server, either in a session array variable or in a database table. you would use or display the server-side cart information as needed.

when an order is finalized/finished, you need to persistently store the items making up that order, in a database table. to display or print a packing slip, you would query for and retrieve the item information for the correct order number.

Link to comment
Share on other sites

2 hours ago, mac_gyver said:

....by using a hidden field, you will have to validate the original data and then re-validate all the hidden field data before using it.

...when items are selected, the item id (sku) and quantity should be the only information that gets submitted and should be stored in a 'cart' on the server=

mac_gyver, thank you for your reply. I think I understand!
Are you saying it is best to completely eliminate <input type="hidden"> and instead use Sessions (or Databases)?

So my simplified code would become:

-----------------------------------
<?php
session_start();
$_SESSION["added"] .= sanitize($_POST["added"]); // sanitize user input
echo '<html><body>';
echo "Here is what's been added: ".$_SESSION["added"];
?>

<form method="post" action="<?=$SERVER['PHP_SELF']?>">
<input type="text" name="added">
</form>

When finished, click here to create Packing Slip:

<form method="post" action="finished.php">
<input type="submit" value="CREATE PACKING SLIP">
</form>
</body></html>
-----------------------------------

... and the "finished.php" page would be as follows:
<?php
session_start();
print $_SESSION["added"];

Is that better?

 

Link to comment
Share on other sites

yes to storing the data in a session variable, no to just concatenating it to a single element.

the 'cart' session variable needs to be an array, with the array index being the item id and the value stored in the array being the quantity. this will result in the simplest code when referencing or manipulating the data. for example, how do you detect and deal with adding the same item to the cart more than once? with an array, you can just use isset() to detect if the item id is already in the cart. with concatenation, you must search though the string to find a match.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.