The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

3 Pages V < 1 2 3 >  
Reply to this topicStart new topic
> Validating 'required' form page data for save to database, Saving by php code file after succesful validation. Success message on
Christian J
post Jan 14 2019, 03:31 PM
Post #21


.
********

Group: WDG Moderators
Posts: 8,238
Joined: 10-August 06
Member No.: 7



QUOTE(Freddz @ Jan 14 2019, 07:58 PM) *

How can be detected that the 'required' attribute is fulfilled? (that any mandatory field is set)

The REQUIRED attribute just makes the browser check that the form field is not empty. If the field is empty, the browser refuses to submit the form. The REQUIRED attribute is only meant as an aid for the user/visitor, it should not be relied upon by site owners for security.

QUOTE
I suppose that there is a page submission as soon as 'required' is fulfilled from all the field elements. Isn't that correct??

To be exact: the browser then no longer refuses to let the user submit the form. But the user still needs to submit by himself...

QUOTE
So then the php script to make an db insert has to be started. That's it, isn't it?

If you trust the user, yes (note that spam bots and malicious users can easily avoid the REQUIRED attribute).

QUOTE
So isset should not be really necessary!?...

In my example isset() was used to let the PHP script know if the form data should be written to the database, or if a HTML form should be created for the user. You could also use isset() to double-check the submitted form data.

QUOTE
Instead shouldn't e.g. the following architecture generally work then?...

Only if the "DBinsert code" is Ajax. If you don't use Ajax, the PHP script needs to know if the form is yet submitted or not --you don't want the PHP script to try to write to the database before the user has submitted the form...

QUOTE
a function is executed via onSubmit event which contains the DBinsert php script.
So why shouldn't that work fulfilling all my client-side conditions, Christian?...

It doesn't work because PHP runs on the server as soon as the URL is requested. Javascript runs in the browser after the page has been sent by the server, been loaded in the browser, and the user has fired the onsubmit event. The only way javascript can control when PHP is run is by using Ajax, or by using javascript to load a separate page (say in an iframe) that in turn contains PHP.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jan 14 2019, 03:36 PM
Post #22


.
********

Group: WDG Moderators
Posts: 8,238
Joined: 10-August 06
Member No.: 7



QUOTE(CharlesEF @ Jan 14 2019, 08:19 PM) *

Also, 'onSubmit' isn't a valid form attribute, well it is a valid event.

Isn't it both? https://www.w3.org/TR/html/sec-forms.html#example-5b22c23a unsure.gif
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
CharlesEF
post Jan 14 2019, 04:44 PM
Post #23


Programming Fanatic
********

Group: Members
Posts: 1,672
Joined: 27-April 13
From: Edinburg, Texas
Member No.: 19,088



QUOTE(Christian J @ Jan 14 2019, 02:36 PM) *

QUOTE(CharlesEF @ Jan 14 2019, 08:19 PM) *

Also, 'onSubmit' isn't a valid form attribute, well it is a valid event.

Isn't it both? https://www.w3.org/TR/html/sec-forms.html#example-5b22c23a unsure.gif

Yes, it is. I was trying to tell the OP that is wasn't needed. Just use the action attribute.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 14 2019, 06:09 PM
Post #24


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



Hello Charles.
Thank you for your time!
My goal is:
1) The 'required' verification process like you described before (works fine already).
2) If form element is selected a php script (file) should be executed (to save the form data into a database (script works fine already!) and
3) a success window/message should be shown (NOT in a separate page!).

This is why I left the action attribute empty but used the event onsubmit.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 14 2019, 06:23 PM
Post #25


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



Would you please show me the code that uses Ajax? This way this problem should be solved.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
CharlesEF
post Jan 14 2019, 09:19 PM
Post #26


Programming Fanatic
********

Group: Members
Posts: 1,672
Joined: 27-April 13
From: Edinburg, Texas
Member No.: 19,088



QUOTE(Freddz @ Jan 14 2019, 05:23 PM) *

Would you please show me the code that uses Ajax? This way this problem should be solved.

I can post another AJAX example but I need to know if the PHP script uses $_GET or $_POST method. I 'assume' it uses $_POST but I want to double check. You should know that if you use ajax then you must write code to validate any required fields and you will need to clear the fields once the PHP script is done. As for the success window/message that depends on how the PHP script was written. Can you attach the file or post the code?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 15 2019, 02:14 AM
Post #27


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



Hello Charles.
Yes, I use POST.
The PHP script is written like this:
++++++++++++++++++++++
$conn = new mysqli(...);
$sql = "INSERT INTO ... VALUES ('" . $_POST["Name"] . "', '" ... );"
$conn->query($sql);
++++++++++++++++++++++

I can put this script also into the HTML form page code if it is more difficult with a php file.

But as I said: Main condition is that the fields are validated by attribute 'required' !! I assume that such a solution should exist!
If this regardless isn't possible I begin to ask myself why this attribute is existing. My process (saving the form data to a database afterwards) is really a standard one!!

I also expected that if a page is been submitted that the form elements are resetted. However, to reset them manually wouldn't be a problem.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 15 2019, 02:32 AM
Post #28


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



If it means that we cannot use a function (javascript) because in this function a php code cannot be implemented directly but just via Ajax (which limits the possibilities) we still could use isset instead, couldn't we?
Cause then we may not need a function but can put the isset php code directly into the HTML code anywhere, right?...
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 15 2019, 03:52 AM
Post #29


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



Ah, this is also not possible, right?
isset can only be used within a php page file but cannot be nested into a html file!?.

I once created the site with Netobjects Fusion Elements. This doesn't support php page files but only html pages.
So do I only have the chance to use cgi script code to save form data of an html page file into a database (if I want to continue to work with NOF)?...

Or I have to use the action attribute to execute a php code but then have to accept that the success message cannot be displayed by a simple alert message window but only by a separate new page that "Action='dbinsert.php'" created?...

This post has been edited by Freddz: Jan 15 2019, 04:01 AM
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jan 15 2019, 07:03 AM
Post #30


.
********

Group: WDG Moderators
Posts: 8,238
Joined: 10-August 06
Member No.: 7



QUOTE(Freddz @ Jan 15 2019, 08:14 AM) *

$sql = "INSERT INTO ... VALUES ('" . $_POST["Name"] . "', '" ... );"

The above is very dangerous, to avoid SQL injection exploits you should never use raw form data (such as $_POST) in the database query before sanitizing it. The sanitation must be done by the PHP script, not by the HTML form.

QUOTE

I can put this script also into the HTML form page code if it is more difficult with a php file.

I think that would be the simplest solution.

QUOTE

But as I said: Main condition is that the fields are validated by attribute 'required' !! I assume that such a solution should exist!

Yes, but it only works on the client-side (the browser), so it can't be trusted for security.

QUOTE

If this regardless isn't possible I begin to ask myself why this attribute is existing.

It's just meant as a convenience for users. As https://www.w3.org/TR/html/sec-forms.html#c...form-validation says, it "allows the user to avoid the wait incurred by having the server be the sole checker of the user’s input."

QUOTE(Freddz @ Jan 15 2019, 08:32 AM) *

If it means that we cannot use a function (javascript) because in this function a php code cannot be implemented directly but just via Ajax (which limits the possibilities) we still could use isset instead, couldn't we?
Cause then we may not need a function but can put the isset php code directly into the HTML code anywhere, right?...

Yes, but then you must submit the whole page (like in my first suggestion), so that the PHP can run on the server.

QUOTE(Freddz @ Jan 15 2019, 09:52 AM) *

Ah, this is also not possible, right?
isset can only be used within a php page file but cannot be nested into a html file!?.

PHP can be used in a .html file (if you configure the server that way). But PHP always run on the server before the file is sent to the browser (except when using Ajax).

QUOTE

I once created the site with Netobjects Fusion Elements. This doesn't support php page files but only html pages.
So do I only have the chance to use cgi script code to save form data of an html page file into a database (if I want to continue to work with NOF)?...

I don't know, but in general I advice against using WYSIWYG editors like these.

QUOTE

Or I have to use the action attribute to execute a php code

I assume you mean using different URLs for the form and PHP script?

QUOTE

but then have to accept that the success message cannot be displayed by a simple alert message window but only by a separate new page that "Action='dbinsert.php'" created?...

If the PHP page is loaded in an iframe, you can still make it produce an alertbox if that's what you want.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 15 2019, 09:23 AM
Post #31


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



See, Christian, we meanwhile have discussed about 4 or 5 methods an implementation could be done. Obviously at each method there is at least one disadvantage not fulfilling my early conditions. Isn't it?

It seems as if not even one of the following 4 can be used for my wished, quick solution!?...
1) If Action<>"" (Action ="dbinsert.php", the php file JUST contains the SQL commands!!) then a NEW page shows the success message.
2) If onsubmit is used in the form tag to execute a Javascript function which should contain the php script this is not allowed.
3) If using Ajax (to execute php code within a HTML page) attribute 'required' of the input elements cannot be used.
4) If isset is used to execute a php code within an html page file (on page submission) this is not allowed.

Is this summary correct so far??...

Only version 1 seems to work by fulfilling the 2 main conditions:
* using the attribute 'required' to make the client-sided validation
* afterwards using my php dbinsert code. (probably without page change)

See, this/my site is not a big and critical one. No big or confidential data in db.
And I want to finish this site quick - at least a first rough version. It can have some unsecurity.

Main point: It should work (by fulfilling the 2 conditions above) and it should be configurable at Netobjects. It is not a permanent solution, Christian. IF this site will be successful I (or any better programmer than me) will improve it anyway!

So you must not ask me about my code wishes. I just wish a working version fulfilling the upper conditions! That's it.
So which is your final suggestion fitting most, and forgetting your additional security considerations?...
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jan 15 2019, 12:33 PM
Post #32


.
********

Group: WDG Moderators
Posts: 8,238
Joined: 10-August 06
Member No.: 7



QUOTE(Freddz @ Jan 15 2019, 03:23 PM) *

Obviously at each method there is at least one disadvantage not fulfilling my early conditions. Isn't it?

"Disadvantage" doesn't mean it's impossible. Number 1, 3 and 4 are quite possible to do with a little work.

QUOTE
1) If Action<>"" (Action ="dbinsert.php", the php file JUST contains the SQL commands!!) then a NEW page shows the success message.

Why not load dbinsert.php in an iframe on the form page, and let dbinsert.php write out the success message? That way the message will appear inside the iframe.

QUOTE
2) If onsubmit is used in the form tag to execute a Javascript function which should contain the php script this is not allowed.

Correct, javascript can't run PHP (except with Ajax).

QUOTE
3) If using Ajax (to execute php code within a HTML page) attribute 'required' of the input elements cannot be used.

It can: REQUIRED works with onsubmit, javascript and Ajax.

QUOTE
4) If isset is used to execute a php code within an html page file (on page submission) this is not allowed.

It is allowed: you can use isset and PHP if the form submission reloads the same page (such as when using ACTION=""). All it requires is enabling PHP in .html files, which is normally simple to do (ask your web host support).

(Here's another idea: 5) why not use my isset script, but at "../cgi-bin/DBinsert.php" from the start? That is, the user goes to DBinsert.php, fills out the form there, and when the form is submitted DBinsert.php writes to the database.)

QUOTE
See, this/my site is not a big and critical one. No big or confidential data in db.
And I want to finish this site quick - at least a first rough version. It can have some unsecurity.

It's up to you, but malware bots are continuously testing random sites for all kinds of known vulnerabilities. So a site doesn't need to be big to be a target. And even if your database contains nothing important it can still be manipulated to post malware on your web site, in which case search engines may blacklist it until you remove the malware.

QUOTE
So which is your final suggestion fitting most, and forgetting your additional security considerations?...

I'd use number 4, like I've said all along. tongue.gif Can't say what works with Netobjects though.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
CharlesEF
post Jan 15 2019, 01:58 PM
Post #33


Programming Fanatic
********

Group: Members
Posts: 1,672
Joined: 27-April 13
From: Edinburg, Texas
Member No.: 19,088



Attached is an example of a $_POST Ajax function. It uses the 'onsubmit' event of the form. This allows the browser to handle all required elements and only perform the ajax call once all elements are filled in. Most modern browsers support this code but IE requires version 10 minimum. Also, IIS web server doesn't allow POST requests from HTML pages without making a configuration change.
Attached File  ajax_post.html ( 1.42k ) Number of downloads: 341
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 15 2019, 02:17 PM
Post #34


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



I assume your solution 5 cannot be used as Netobjects (NOF) doesn't support php files. (I would like to work at this site with NOF yet. However, I am just trying the free tool 'Blue Griffon' now...)
Now solution 3 could be an option as well. Cause before I understood from Charles' sentence "if you use ajax then you must write code to validate any required fields" I understood that attr. required is ignored here. But now you say it is not...

However, version 4 seems to be the best solution now. I agree to you.
Cause before I tried this version already but failed. Now you said that it may be my Apache configuration. VERY important!! Thanks. I will check that asap now...
If so this problem would have a quite simple solution then. Very fine. But it was a quite long way to here... ;-)

To your last alarming remarks about security. I doubt that I could edit this with NOF as well. However, I then would have to do it manually soon after version 4. So would you please show me already now by short code samples which kind of secure implementation (form page and db save process) would be satisfying here?

Thank you very very much, Christian! You are doing a VERY good 'job' with me !!!!!
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jan 15 2019, 03:50 PM
Post #35


.
********

Group: WDG Moderators
Posts: 8,238
Joined: 10-August 06
Member No.: 7



QUOTE(Freddz @ Jan 15 2019, 08:17 PM) *

I assume your solution 5 cannot be used as Netobjects (NOF) doesn't support php files.

But ../cgi-bin/DBinsert.php is a PHP file already, yes? unsure.gif The only difference is that my PHP script would also output HTML code.

QUOTE
Now solution 3 could be an option as well. Cause before I understood from Charles' sentence "if you use ajax then you must write code to validate any required fields" I understood that attr. required is ignored here. But now you say it is not...

Maybe Charles meant that you should validate in the PHP script as well. unsure.gif

QUOTE
However, version 4 seems to be the best solution now. I agree to you.
Cause before I tried this version already but failed. Now you said that it may be my Apache configuration. VERY important!! Thanks. I will check that asap now...
If so this problem would have a quite simple solution then. Very fine. But it was a quite long way to here... ;-)

See also post #15... wink.gif

QUOTE
To your last alarming remarks about security. I doubt that I could edit this with NOF as well.

It's done in the PHP script.

QUOTE
So would you please show me already now by short code samples which kind of secure implementation (form page and db save process) would be satisfying here?

It may depend a little on your form fields. If you only use a SELECT menu, you might compare the user's submitted form data with a whitelist of allowed values (say only integers 1-5). If you have text fields it becomes trickier, this might be a start: http://php.net/manual/en/mysqli.real-escape-string.php

However I suspect Charles (or almost anyone) is better at this than me, so it's probably best I don't go into detail.

QUOTE
Thank you very very much, Christian! You are doing a VERY good 'job' with me !!!!!

You're welcome!
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
CharlesEF
post Jan 15 2019, 03:53 PM
Post #36


Programming Fanatic
********

Group: Members
Posts: 1,672
Joined: 27-April 13
From: Edinburg, Texas
Member No.: 19,088



I forgot to say that you didn't post enough 'DBinsert' code for me to tell if you will get a response back from the ajax call. Also, in the 'DBinsert.php' file you should check to make sure every value needed is supplied in the $_POST array before doing the database insert.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 18 2019, 07:36 AM
Post #37


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



To solution 1: The idea with the iFrames is a good one. Unfortunately NOF does not seem to support iFrames.

To solution 3: See my answer to Charles.

To solution 4: This seems to be the easiest solution. But I didn't had time to ask my server provider yet... Will come back to this point soon.

To solution 5: I understood that the form page infos are within the dbinsert.php file. So you JUST work with this file but don't habe any html at all. But NOF doesn't support that. Did I misunderstand you here?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Freddz
post Jan 18 2019, 09:13 AM
Post #38


Novice
**

Group: Members
Posts: 25
Joined: 7-January 19
Member No.: 26,791



QUOTE(CharlesEF @ Jan 15 2019, 09:53 PM) *

I forgot to say that you didn't post enough 'DBinsert' code for me to tell if you will get a response back from the ajax call. Also, in the 'DBinsert.php' file you should check to make sure every value needed is supplied in the $_POST array before doing the database insert.


Thank you very much, Charles. Your code is working fine! However, I don't understand the function onsubmit that good. But I will double check it soon by reading about it. I just havn't much time right now, unfortunately.
Additional form elements I would add just by additional code lines of "formData.append(....", right?
I tried that and it worked fine...

So thank you very much again!!!
I will see which solution is better to integrate into NOF now, sol. 3 or 4...
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jan 18 2019, 12:44 PM
Post #39


.
********

Group: WDG Moderators
Posts: 8,238
Joined: 10-August 06
Member No.: 7



QUOTE(Freddz @ Jan 18 2019, 01:36 PM) *

To solution 1: The idea with the iFrames is a good one. Unfortunately NOF does not seem to support iFrames.

That NOF version must be really old then. Can't you add just the iframe HTML manually (with a text editor)?

QUOTE
To solution 4: This seems to be the easiest solution. But I didn't had time to ask my server provider yet... Will come back to this point soon.

Or maybe it's enough to rename the form page to something like "example.php" to make PHP code run in it?

QUOTE
To solution 5: I understood that the form page infos are within the dbinsert.php file. So you JUST work with this file

Yes it's exactly the same as solution 4, except that the URL is different.

QUOTE
but don't habe any html at all.

It does have HTML, but it only prints the form before it's submitted, and only prints the success message after the form is submitted.

QUOTE
But NOF doesn't support that.

You will have to write the combination of PHP and HTML yourself, of course.

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
CharlesEF
post Jan 18 2019, 02:37 PM
Post #40


Programming Fanatic
********

Group: Members
Posts: 1,672
Joined: 27-April 13
From: Edinburg, Texas
Member No.: 19,088



QUOTE(Freddz @ Jan 18 2019, 08:13 AM) *

Additional form elements I would add just by additional code lines of "formData.append(....", right?

Yes, that is correct. As for security, since you are using 'mysqli' you should use parameterized queries. That will help guard against malicious sql code.
As for NOF, I would never design a website based on the limitations of software. But I don't use any program to write any of my code.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

3 Pages V < 1 2 3 >
Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 15th October 2019 - 12:59 AM