Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Jan 2006
    Posts
    243
    Thanks
    14
    Thanked 2 Times in 2 Posts

    Form validation questions

    I'm playing around with a very simple php guestbook (www.kirl.nl/Guests.php) wich does a very basic input check, but I want to do it in java, for several probably obvious reasons.

    Writing the actual form validation is no problem, but I'm not sure how I can controll wether the info should be sent or not. I'll place the form code so you can see how it functions.

    Code:
    <form method="post" id="guestForm" action="guestbook.php">
       <div><label for="Name">Name:</label> <input type="text" id="Name" name="Name" /></div>
       <div><label for="Website">Website:</label> <input type="text" id="Website" name="Website" /></div>
       <div><label for="Comments">Comments:</label><br /> 
       <textarea id="Comments" name="Comments" class="input" rows="3" cols="45"></textarea></div>
       <div><input type="submit" value="Submit" /></div>
    </form>
    The submit button would call a function instead so, how do I tell Javascript to submit this form? What would that command look like?

    Thanks
    Last edited by Kirl; 11-30-2006 at 09:17 PM.

  • #2
    Senior Coder nikkiH's Avatar
    Join Date
    Jun 2005
    Location
    Near Chicago, IL, USA
    Posts
    1,973
    Thanks
    1
    Thanked 32 Times in 31 Posts
    You know all the problems with relying on client-side script to validate a form, right?

    That said:
    <form onsubmit="return myValidationFunction(this);" ...

    is the best way to do it.
    Otherwise, people can't submit your form without script enabled, which is generally considered bad practice.

    If you insist on breaking the form for those who don't have script (such as readers for the blind, etc):

    <input type="button" ... onclick="mySubmitFunction(this)" ...

    in mySubmitFunction:
    function mySubmitFunction(btn)
    {
    ...
    btn.form.submit();
    }

    If this post contains any code, I may or may not have tested it. It's probably just example code, so no getting knickers in a bunch over a typo, OK? If it doesn't have basic error checking in it, such as object detection or checking if objects are null before using them, put that in there. I'm giving examples, not typing up your whole app for you. You run code at your own risk.
    Bored? Visit
    http://www.kaelisspace.com/

  • #3
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,029
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    <form method="post" id="guestForm" action="guestbook.php" onSubmit="return validateForm(this.Submitbutton)">
    <div><label for="Name">Name:</label> <input type="text" id="Name" name="Name" /></div>
    <div><label for="Website">Website:</label> <input type="text" id="Website" name="Website" /></div>
    <div><label for="Comments">Comments:</label><br />
    <textarea id="Comments" name="Comments" class="input" rows="3" cols="45"></textarea></div>
    <div><input type="submit" name = "Submitbutton" value="Submit" /></div>
    </form>

  • #4
    Regular Coder
    Join Date
    Jan 2006
    Posts
    243
    Thanks
    14
    Thanked 2 Times in 2 Posts
    You know all the problems with relying on client-side script to validate a form, right?
    I don't actually...


    Thank you both for the help!

    I actually forgot about noScript browsers, thanks for reminding me. I'm going to handle validation on the fly then, not on submit but onChange (textbox) or something similar.

    If I decide to go this way, is there any way (while keeping functionality for NOSCRIPTers) I can prevent a submit when a user ignores the warning messages?

  • #5
    Senior Coder nikkiH's Avatar
    Join Date
    Jun 2005
    Location
    Near Chicago, IL, USA
    Posts
    1,973
    Thanks
    1
    Thanked 32 Times in 31 Posts
    The only way to prevent form submission is to refuse it on the client. If it hits the server, it was already submitted. What you do is prevent updates or other actions if data is bad.

    That's what server-side validation (your PHP code) is for.

    Not just problems for noscript, though, but a malicious person could turn off script to get around your validation, then enter something like this in one of your text fields. If you didn't prevent SQL injection attacks, you could be very vulnerable.

    They can enter something like :
    '; drop database --

    for fun times
    Look up SQL injection attacks for more info.
    Always validate your fields, and form your SQL statements appropriately, to prevent this sort of thing.

    You can prevent it for the users who have script enabled by using the method I showed you, and your function returns false. If onsubmit handler returns false, the form does not submit.
    Again, this is a courtesy to users with script, so they don't have to wait for a server response. Do not rely on it, as users only have to disable script and they enter anything they want.

    One more note: tying submit to a normal button instead of a submit button will not prevent users without script from submitting a form to your server. All they have to do is make their own form (copy your source), change it, save it to THEIR computer or server, and submit it. ALWAYS protect your database on the server side.
    Last edited by nikkiH; 11-30-2006 at 10:43 PM.

    If this post contains any code, I may or may not have tested it. It's probably just example code, so no getting knickers in a bunch over a typo, OK? If it doesn't have basic error checking in it, such as object detection or checking if objects are null before using them, put that in there. I'm giving examples, not typing up your whole app for you. You run code at your own risk.
    Bored? Visit
    http://www.kaelisspace.com/

  • #6
    Regular Coder
    Join Date
    Jan 2006
    Posts
    243
    Thanks
    14
    Thanked 2 Times in 2 Posts
    Thanks for the advice, Ive read up on sql injection but it strikes me as something to be of little use on a personal site like mine, something to annoy at most. I do not have extremely sensitive info anywhere on my server, nor would they have anything to win by hacking it (except pride of course).

    As far as I understand the worst damage would probably be restricted to a dropped Guestbook entry file?

    My main question here is if I can just put it up on my site while experimenting, or would that be careless?

    Thanks.

  • #7
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,029
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    Apart from hackers and the risk of the database being destroyed, most guestbooks are plagued by infants, loonies and spammers who post completely inappropriate material. Unless your guestbook is moderated (postings pre-approved) then you are likely to find it a drag.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •