I have an online game site, that submits users' records and displays them in site score board.
But, some users like to be #1 (!) and they create a form with my "action" and "method" forms that are for submitting.
Here is my form:
<form action="submit.php" method="post" id="form">
<input type="hidden" id="time" name="time">
<input type="hidden" id="name" name="name" value="<?php echo $_SESSION['name']; ?>">
</form>
And here is js that runs at the end of the game:
document.getElementById("time").value=finaltime;
document.getElementById("form").submit();
"submit.php" inserts $_POST['time'] and $_POST['name'] into mysql database.
So, How can I prevent users to submit their own created form?
In another meaning, how can I find the origin of the submitted form in "submit.php" ?
As far I as I am aware, there's no way to tell from which domain a record has been inserted into a database, unless the webpage passes that information when inserting. However, people aren't able to just insert into a database, if that's your concern. when they connect to the database they should require a username and password first (assuming you have that set-up). Here's how PHP connects to a database:
mysqli_connect("domain.com","username_here","password_here","database_here");
Even then, they still need to provide which table to insert the information into.
Related
EDIT: I should mention the form submits fine manually but with the javascript nothing seems to happen
I'm trying to get a form to autosubmit on page load and then redirect the user. Reason for this is this is part of a PHP page and the data needs to go into my database but then also POST the variables to a 3rd party SMS platform then return to the users dashboard.
My form looks like this:
<html>
<form action="https://www.example.com" id="myForm" method ="POST">
<input type="hidden" name="apiKey" value="withheld">
<input type="hidden" name="message" value="<?php echo $club_name ?> have requested you to play for them this weekend. Please login to your account to see more information and accept.">
<input type="hidden" name="to" value="<?php echo $to ?>">
<input type="hidden" name="from" value="withheld">
<input type="submit" name="submit" id="submit" value="Submit">
</form>
</html>
This seems to work fine so I assume the Javascript is incorrect which is:
<script>
document.getElementById('myForm').submit();
window.location.replace("https://www.example.com");
</script>
You have to use a different name than
name="submit"
as all name attributes are set as properties on the form,
hence overriding the default "submit" property on the form,
and the default form method "submit()" is gone.
https://developer.mozilla.org/de/docs/Web/API/HTMLFormElement
"Named inputs are added to their owner form instance as properties, and can overwrite native properties if they share the same name (eg a form with an input named action will have its action property return that input instead of the form's action HTML attribute)."
In your code window.location.replace("https://www.example.com"); line won't make sense because submit() function will try to submit the form and will change the page and then replace function will prevent submitting the form and will redirect the page. The right way to do this via js can be, submit the form via ajax and in the success callback of Ajax run document.getElementById('myForm').submit()
I have a registration form wherein one of the field is username which needs to be unique. So, I am checking it first in my database before insert proceeds. If username exists, I put the below line. My problem is after clicking OK, it refreshes the page and clears all the inputted data of the user. I know I can use return false but how do I put this on my echo?
else if(mysql_num_rows($result)>0)
{
echo '<script>alert("Username is not available")</script>';
}
else
{
insert goes here
<form id="appform" action="register.php" method="post" onsubmit="return validateform('appform');">
<input type="text" class="textarea1" name="stdname" size="30" onkeyup="isallnospace(this)" /> .
}
You are validating in the worst way possible. If you want to validate using both client side and server side script, please use ajax.
Uses of Ajax:
Update a web page without reloading the page
Request data from a server - after the page has loaded
Receive data from a server - after the page has loaded
Send data to a server - in the background
For more details, visit AJAX Tutorial
best way is to check with ajax before submit, but if you want you can add the $_POST values to the form when it returns to it like so
<input type="text" name="username" value="<?php if(isset($_POST['username'])){echo $_POST['username'];}?>" />
In many sites, I have seen after clicking on "Sign Up" or "Register" button we are either re-directed to other page where the insertion of our data in database takes place. Like in Facebook, when you click "Sign Up" it goes to the facebook.com/r.php page. I want to create a registration form which when submitted, will be not re-directed but will validate and insert data in database in the same page.
For example, Facebook uses a form such as:
<form id="xyZ" name="abc" method="post" action="r.php">
It redirects us from index.php to r.php.
But I want to use:
<form id="xyZ" name="abc" method="post" action="index.php">
i.e Without redirecting.
Which one is safe?
Redirecting does not effect the security of the website at all in the slightest. I recommend taking a look here about possible authentication solutions you can use for your site.
Whether you authenticate and log them in/register them using index.php or r.php, it doesn't matter in the slightest. Forum systems such as phpbb used to at one time to everything in the index.php file, and depending on the ?page $_GET variable, it would display different things (Like a login form, or a registration form). How you handle it, is entirely up to you, but neither method is more insecure than the others.
Both are safe!
Redirect method, kind of link using which user redirects to another page where they can register
Ajax Method, here you can make calls using Javascript / jQuery which returns you html source, which you can just plug in appropriate place.
Your Page where you need your registration form to be displayed, when user click on sign up link
<div id="ajax-response"></div>
<a id="signup" href="signup.php">SignUp</a>
<script type="text/javascript">
jQuery("#signup").on('click', function(e){
e.preventDefault();
var _context = this;
jQuery.ajax({
url: jQuery(_context).attr('href'),
success: function(response){
jQuery("#ajax-response").html(response);
}
})
})
</script>
and signup.php, will contain the registration form
<form>
<input type="text" name="fname">
<input type="text" name="lname">
<input type="text" name="email">
<input type="submit" />
</form>
I have three jsp pages and a spring controller.LoginForm.jsp,userAccount.jsp and AccountSummary.jsp.LoginForm will send data to userAccount which has an iframe.userAccount has links in it.Onclicking on one of the link AccountSummary page is displayed in the iframe of userAccount.
Now i need to pass the form data that is sent to the parent to the controller again if Accountsummary link is clicked.Then AccountSummary page is displayed in the iframe.Here the controller will validate the values and send appropriate data to account summary which will then be displayed
I tried adding the below code:
userAccount.jsp
Account Summary
<form action="/MyBankProject/AccountSummary" method="post" target="frame1" id="myForm">
<input type="hidden" name="userName" value="${userName}"/>
<input type="hidden" name="password" value="${password}"/>
</form>
<script>
function myfunc() {
document.getElementById("myForm").submit();
}
</script>
In the above code i am trying to take the form values sent to the parent, userName and password .And making them hidden and submitting so that controller will receive those values.But in vain the values are not passed to the controller.i couldn't figure out where i made a mistake.
I am new to javascript .I feel i explained the problem i am facing.kindly help me and let me know if i missed in conveying the problem.
Is there anything i missed.
I've got a working PHP form that I've built and it contains 5 fields which are pre-populated by a URL query string.
The query string URL is on a hyperlink on an HTML email asking the recipient to click here to make a booking. I've got their details already because I've sent them the email, hence why the form get pre-populated.
How can I get the form to instantly submit on page load and redirect to the thank you page?
Here's how my form looks at the moment:-
<form name="frm" id="frm" method="POST">
<input name="firstname" id="firstname" type="text" value="<?php echo ((isset($_GET["firstname"]))?htmlspecialchars($_GET["firstname"]):""); ?>" />
<input name="lastname" id="lastname" type="text" value="<?php echo ((isset($_GET["lastname"]))?htmlspecialchars($_GET["lastname"]):""); ?>" />
<input name="email" id="email" type="text" value="<?php echo ((isset($_GET["email"]))?htmlspecialchars($_GET["email"]):""); ?>" />
<input name="company" id="company" type="text" value="<?php echo ((isset($_GET["company"]))?htmlspecialchars($_GET["company"]):""); ?>" />
<input name="contactid" id="contactid" type="text" value="<?php echo ((isset($_GET["contactid"]))?htmlspecialchars($_GET["contactid"]):""); ?>" />
<input type="submit" name="Submit" value="submit" />
</form>
And here's the JavaScript I've tried (but didn't work):-
window.onload = function() {
setInterval(function(){
document.getElementById("frm").Submit();
},5000);
}
Here's a pastebin of the whole page: http://pastie.org/private/lgpealjya8xrwqi78gropw
Thanks
Alright so basicaly you have been trying to get information through url, insert them in a form and then submit the form so you can send an email. This is all quite nice although you're just making things harder than they are.
You you need to do is wipe off the form (we don't need this really) and instead of processing all those $_POST information you wanted to get off the form, you gonna do that with the $_GET array you already got off the url, at the end of the day it's exactly the same since the informations you're inserting in the form are only the ones you're getting off the url.
So if you change this the following way, youe script will work just fine :
//Get the submitted data
$firstname = cleanText($_GET['firstname']);
$lastname = cleanText($_GET['lastname']);
$email = cleanText($_GET['email']);
$company = cleanText($_GET['company']);
$contactid = cleanText($_POST['contactid']);
So here is what's gonna happen : the user is going to clic on a link, your script is going to get the $_GET array, process it, send the email based on this array, and this send the user to the thankyou.php page. Note that you could get your script to be more efficient and save the user some time if you insert your script in the thankyou.php.
Last but not least I would like to point out to you that it's not very good practice to get an email sent on url submission... you could end up having a bot send massive amounts of emails through this url and get you email blacklisted. If I were you I'd either control the ip and make sure only 1 mail is sent every 10 minutes or whatever time suits your needs best, or i'd add a captcha to the page so the user would need to show he's a human being who actualy wants to waste some time sending email.
try using: document.getElementById('frm').submit(); instead of document.getElementById('frm1').submit();
and also make it execute once the page has been loaded:
window.onload=function(){
document.getElementById('frm').submit();
}