Jump to content
Sign in to follow this  
StevenOliver

Safe to use two forms and hidden inputs?

Recommended Posts

Customers visit a "select merchandise page."
Their list of items is displayed (merchandise SKU numbers). The displayed list of their expands as they add more stuff.
When they're done, they create a packing slip that appears on a new "finished.php" page.

Question: Is using 2 forms and hidden inputs the secure and accepted way to do this?

--------------------------------------------------------
<?php
$added = $_POST["added"] . ',' . $_POST["more-stuff"];
echo "Here is what's been added: $added"; // item 1, item 2, item 3, etc.
?>

<form method="post" action="<?=$SERVER['PHP_SELF']?>">
<input type="text" name="added">
<input type="hidden" name="more-stuff" value="<?=$added?>">
</form>

When finished, click here to create Packing Slip:

<form method="post" action="finished.php">
<input type="submit" value="CREATE PACKING SLIP">
<input type="hidden" name="finished" value="<?=$added?>">
</form>
--------------------------------------------------------

Thank you!!

 

Share this post


Link to post
Share on other sites

 external data can be anything and cannot be trusted. you have to validate all external data before using it, so, you should submit/pass a minimum of information through a form. by using a hidden field, you will have to validate the original data and then re-validate all the hidden field data before using it.

when items are selected, the item id (sku) and quantity should be the only information that gets submitted and should be stored in a 'cart' on the server, either in a session array variable or in a database table. you would use or display the server-side cart information as needed.

when an order is finalized/finished, you need to persistently store the items making up that order, in a database table. to display or print a packing slip, you would query for and retrieve the item information for the correct order number.

Share this post


Link to post
Share on other sites
2 hours ago, mac_gyver said:

....by using a hidden field, you will have to validate the original data and then re-validate all the hidden field data before using it.

...when items are selected, the item id (sku) and quantity should be the only information that gets submitted and should be stored in a 'cart' on the server=

mac_gyver, thank you for your reply. I think I understand!
Are you saying it is best to completely eliminate <input type="hidden"> and instead use Sessions (or Databases)?

So my simplified code would become:

-----------------------------------
<?php
session_start();
$_SESSION["added"] .= sanitize($_POST["added"]); // sanitize user input
echo '<html><body>';
echo "Here is what's been added: ".$_SESSION["added"];
?>

<form method="post" action="<?=$SERVER['PHP_SELF']?>">
<input type="text" name="added">
</form>

When finished, click here to create Packing Slip:

<form method="post" action="finished.php">
<input type="submit" value="CREATE PACKING SLIP">
</form>
</body></html>
-----------------------------------

... and the "finished.php" page would be as follows:
<?php
session_start();
print $_SESSION["added"];

Is that better?

 

Share this post


Link to post
Share on other sites

yes to storing the data in a session variable, no to just concatenating it to a single element.

the 'cart' session variable needs to be an array, with the array index being the item id and the value stored in the array being the quantity. this will result in the simplest code when referencing or manipulating the data. for example, how do you detect and deal with adding the same item to the cart more than once? with an array, you can just use isset() to detect if the item id is already in the cart. with concatenation, you must search though the string to find a match.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.