form validation on the same page

Asked

Viewed 545 times

3

Hello, for the form to be validated on the same page, what is more secure as value for the html action attribute? Thank you.

    <form method="post" action="">
    <!--ou-->
    <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
  • 4

    The action is a URL. It has to be a valid URL value, a destination that the server accepts. I don’t see why to use htmlspecialchars() or why to think that he is not safe.

  • I suggest you search on Jquery + ajax, besides doing the same thing, it is more elegant to the user, and you do not need to refresh the page;

  • 1

    Hello Nilson, it is not clear what your question is. Passing the URL by htmlspecialchars what you are trying to do?

  • The goal is that error messages, or successful sending, remain on the same page. But, it seems that I should search better, to avoid refreshing the page as suggested. Thank you.

  • @Nilson see this basic example of use. http://forum.imasters.com.br/topic/514131-mailing/

  • Yes, I will study that example, thank you. A question, in this case, the php script that validates the form, does not need to be on the same page of the form? My doubt began by trying to do this as described in the example based on studies done here http://www.w3schools.com/php/php_form_validation.asp and finding that using htmlspecialchars($_SERVER["PHP_SELF"]) would avoid third party manipulation of the url, since the value assigned to the action, in this case, would come from the current url. And then, searching further, I found this other way: action=", which they said was safer. Blz, I’m going to study +

  • @Nilson there is no way to avoid handling anything that comes from the user’s side. The application (server side) must always be prepared for this.

  • @Nilson doesn’t need to be the same page in the action. It doesn’t even have action in the form, depending on how you will make the ajax request.

  • 1

    @Rafaelmenabarreto, I will study ajax. I wanted a north and got with the help of you, thank you.

Show 4 more comments

2 answers

4

first Does not invent.

2nd It’s not a question of which is better, you must know what each one does.

htmlentities encodes any special character, so that it is not possible to inject tags or some js.

Leave the attribute action empty, causes this page to refer to itself. So do not waste functions using them where they are not needed, because what the PHP_SELF does, is return the name of the file that is running the script, so if there is no QUERY_STRING why should I use the htmlentities or urlencode ? You simply should not, because the main reason to use them, is to return these values in the right format, so that they can be used without problems, this case exist.

An example of this is:

<?php
    echo '<a href="' . htmlspecialchars("/nextpage.php?stage=23&data=" .
        urlencode($data)) . '">'."\n";
?>

To url contains parameters, so it has special characters that need to be escaped, but what does the urlencode there ? It simply does what it does, when being wants to pass the value of a variable as part of a url, that’s where it becomes useful.

I would say what a lot of people normally say in situations like this, uses any js library, or simply use js, and your problem goes away.

It would be easy to think so, due to technological advances even the simplest sites use javascript, and most of the devices currently used to access these sites also have javascript support. But it is what it is, javascript can fail, time and again, and there are times when simply some prefer not to use, but this is another perspective.

Take a closer look at your priorities, and look for a solution that suits you.

If you want to read more about some of these processes, here are some pages I recommend:

  • Thanks for the suggestion, I will continue studying, and when you are better prepared, return here.

  • Try working with practical examples, it is better to understand the behavior of these functions and attributes.

1

Any amount. A action does not influence client validation. Page validation is usually done in JS, and PHP has little role in this.

In this case, a great option is the jQuery Validation. See working here.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.