发表新帖
发表新帖

How to protect HTML form from blank submission

前端 未结
关注
5 1960
梦毁少年i
梦毁少年i 2021-01-15 15:59

Basically I\'m using this tutorial: HTML FORM

Everything is working as it should but one flow I\'ve found is that everyone can see the URL for your

相关标签:
5条回答
  • 不思量自难忘°
    2021-01-15 16:16

    Say you have the following form;

    <form action="savething.php" method="GET" name="mythingform">
    <input name="thing1" type="text" />
    <input name="thing2" type="text" />
    <input type="button" value="Submit" onclick="validateAndSubmit()" />
</form>

    In this, instead of a submit type input, I have used a button. This means, something needs to happen before the page will submit, so, for example;

    <script>
    function validateAndSubmit()
    {
        var thing1 = document.getElementsByName("thing1")[0];
        var thing2 = document.getElementsByName("thing2")[0];

        if (thing1.value.length > 0 && thing2.value.length > 0)
        {
            document.forms["mythingform"].submit();
        }
    }
</script>

    The JavaScript function here will only call the submit on the form when the inputs are not empty

    In terms of stopping someone from accessing this without permission;

    <?php
if (!isset($_REQUEST['myvariable'] || empty($_REQUEST['myvariable']))
    die("Please make sure the form has been submitted properly with all required information");

    Using die in this, will terminate execution of the script any further, you can also use exit and both allow you have have a "termination message" attached to them as part of the stoppage process

    $_REQUEST isn't the safest of options, but it permits you to use GET or POST methods from forms to be able to retrieve and use data

    0 讨论(0)
  • 悲&欢浪女
    2021-01-15 16:20

    Use if (empty($_POST['your_field']))

    So if a post or get query reaches your php script, empty will check if the field is empty or not.

    So something like this:

    if (empty($_POST['your_field'])) {
    echo 'Field xxx should not be empty';
}

    Although isset would be better, since if they just go to the link, your POST and GET variables are empty. So something like this is kinda foolproof:

    if (!isset($_POST['your_field']) || empty($_POST['your_field'])) {
    echo 'Field xxx should not be empty';
}

    Didn't think i'd need a separate piece of code for GET, but ok.

    if (!isset($_GET['your_field']) || empty($_GET['your_field'])) {
    echo 'Field xxx should not be empty';
}
    0 讨论(0)
  • 不思量自难忘°
    2021-01-15 16:32

    Form blank submission you can use java-script validation or jquery validation validation or you can also use php validation to avoid blank form submission.

    core js validation

    simple example:

       var x = document.forms["myForm"]["fname"].value;
   if (x == "") {
      alert("Name must be filled out");
      return false;
   }

    jquery validation

    validation library https://jqueryvalidation.org/documentation/

    example:

    $("#myform").validate({
     submitHandler: function(form) {
     // some other code
     // maybe disabling submit button
     // then:
     $(form).submit();
   }
  });

    I hope it helps.

    0 讨论(0)
  • 醉酒成梦
    2021-01-15 16:39

    (1) there should be no danger from someone 'just entering' the URL in their browser - the back-end code is supposed to respond only to POST, not to GET (entering a URL in a browser makes it issue a GET request for the given URL).

    (2) the quoted example code already includes client-side validation (including checks for empty fields), so if someone legitimately uses your entry form, they will not be able to send a blank form.

    (3) all that remains is to protect the back-end code from accidental or malicious posting of empty forms (and any other use that is undesirable). The example PHP code doesn't have any checks, you should add some - like the isset(...) or empty() checks suggested in another answer here).

    0 讨论(0)
  • 失恋的感觉
    2021-01-15 16:42

    First you can use the required attribute on mandatory fields for client-side:

    <input type="text" name="mandatory_field" required>

    But you will need to verify server-side in case the user modified the form. You can use empty() on any variable ($_POST or $_GET):

    if (empty($_POST['mandatory_field'])) {
    // print error message or redirect to form page
}

    You can use isset() to verify if a field is submitted. Your validation could be:

    if (!isset($_POST['mandatory_field']) || empty($_POST['mandatory_field'])) {
    // print error message or redirect to form page
}

    Other cases:
    If all fields are mandatory you could check with in_array():

    if (in_array(false, $_POST)) {
    // print error message or redirect to form page
}

    If doing various data validation here is what I use to do with forms:

    $errors = [
    'empty field'           => empty($_POST['field']),
    'another error message' => $another_condition
];

if (in_array(true, $errors)) {
    $error_message = array_search(true, $errors);
    // print or redirect, and you can tell the user what is wrong
}
    0 讨论(0)
 看不清?
提交回复
热议问题