My sign up form works on HTML5 inputs (email,password,username..) also using patterns . Do i need to check the inputs with php to before inserting them in to mysql?
Absolutely.
Remember that anyone can send raw HTTP requests and fill in the fields with any data they like. Never trust user input; always check it server-side.
Related
So let's say a user is signing up, and I want to notify them on the fly if they try to enter a username that's already in use.
Since it's jinja2, I can pass the current list of used usernames to the frontend, but how do I then use those without using javascript ?
You can not do that without JavaScript on the client side. But, what you can do is pass the list as a JAvaScript array String to the client and put it into the javascript code to verify the input on the client. For example in a method called by textbox .onblur.
I know it's a stupid question, but if I fill a form with various inputs but I don't give them a name and id, and I POST it to a php page, does the posted query contain any data?
If it does, then using inputs without names in a form result in a wasted sending time. am I right?
Is there any difference between GET and POST in this case?
I presume that the browser (client-side) determines what to send and what to not send.
I'll try to see what happens if i send a GET request: if in the browser bar appear something, some data has been sent.
But the POST method is still a mistery for me... when I have time I'll try to print the $_POST array. thanks for the "input" #MattP
I update my question after somebody attack: I printed down the result of $_POST and $_GET, but still, I think the only answer to my question is to check the weight of the data, not the things recognized by the server. If i send unnamed data to the server, the server may discard that ad take only the ones with the name.
(sorry for the bad english)
No, they won't get the data. id is optional, but for PHP to do anything it requires the name attribute.
I can already use jQuery.post to send JSON data to the server, but I can't find a way to have the response replace my current page just as a regular old POST would when using plain HTML.
The only way I know right now to come close is to create a dummy form, add the JSON data as a value, then trigger submit. This seems like a big hack and also requires the server side to know where to look for this value (whereas it automatically detects JSON when jQuery sends it).
Please tell me there's a better way!
Example desired usage (note that I don't want the data encoded in the URL):
magic_load_page('/page', {'foo':'bar', 'list':[1,4,9,16]}); // uses POST request
I am trying to validate that a username is unique on a registration form and would like to verify the uniqueness of the username right after the client types it as opposed to performing this server side after the form has been submitted.
Should I collect a resultSet from the database, store it in an array and then pass this along to the jsp page in the form of a bean (I am using a model 2 design so the user passes through a servlet before arriving at the jsp page)? What if the array is very large? How do I bring this data into javascript?
Alternatively, is there a way to do the query using ajax and javascript all on the client side? Maybe its possible to somehow run the query in the background?
I am really just looking for some direction because I am clueless as to what to even begin researching something like this. Is this even a smart move, performance wise?
I'd use "AJAX" for this.
Here's one approach: set up a blur() handler on the username text field of your form. When the blur() method is invoked, you post the username to the backend code; it verifies it and returns some appropriate response. You then parse the response and change the CSS class on the username text field (e.g., turning it red) -- or do whatever else visually you want to do to indicate "username in use."
Either way, you've got to get the username from the client to the server for verification; you wouldn't want any mechanism which allowed the client to directly use the DB (think security/exploits/etc).
If you're not already familiar, check out jQuery (http://jquery.com/) to make your client-side life much easier.
How can you make a form be able to fill a field with the url?
Example: if i have two fields, username and password, and my form is located at form.html how can I make form.html?username=example automatically fill in "example" in the username field.
The form would have to read variables from the URL and parse them, and then repost those values into a field. For instance, with PHP, it would be:
<?php $sName = $_GET['name']; ?>
...some HTML goes here...
<input type="text" id="name" name="name" value="<?= $sName ?>" size="60" />
This can also be done in jQuery by using location.href value to get the full URL, then split the URL into parts a few times with the split() function, and then use $('#name').val(sName) in jQuery to post the value into that field.
However, there are several security implications you have to consider. It is no longer advisable any more to take a raw GET value without running it through some XSS prevention steps:
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Here's something that malicious people may use against a site that works with raw GET values:
http://ha.ckers.org/xss.html
So beware.
OK, so the user puts this URL into his browser, a request is made to the server, and the page comes back to the user. There are two general approaches you can use to filling in the form details. 1. You can make it happen on the server. 2. You can make it happen on the client. If you want to make it happen on the server then you're going to need to use a server-side technology like ASP.NET, PHP, JSP, etc. If you want to make it happen on the client then you'll need a client-side technology that will almost certainly be javascript.
There's a whole lot more to say about this, including warnings about security holes like cross-site scripting, but I'll leave those for now.
The webserver language (e.g. PHP) must access the variables (e.g. $_GET["username"]) and supply them as values to the HTML fields. Don't forget to use method="get" in the HTML.
If your url is form.html, then how are you going to end up with form.html?username=example?
?username=example is a query string. If your submitting your form with a GET method, it will use a query string and append it to your url so the way you'd get form.html?username=example would be if a user entered their username as "example" and then submitted the form.