Is it really necessary to also filter or clean a form's select element since the input is not actually entered by the user but rather the user selects from an already entered options?
Note form submission method is POST. Thanks for the reply.
Yes. You're assuming that the user can't alter it, when in reality they can. Any DOM inspector would allow a user to simply go in and change the values of your options, or even add new options. Always, always validate user input on the server-side, for everything.
Related
Here is my problem :
I have a checkout page with multiple forms, the first one is for add people to the order, and the second one is the checkout form. I need to get the people from the first form in my second form, the problem is that these two forms are created when the page is loaded, so at the beggining the second form doesn't know who are the people in the first form, so I can't use form_alter (or only if I refresh the page).
I think the thing to do is add them when the first form is submitted, but how to alter fields of another form ?
Edit:
Yes same page, so i really can't use the form_alter, I try this thing now : ajax_command_replace('#commerce-checkout-form', drupal_render(drupal_get_form('commerce-checkout-form', $order, $payment_page)));
but the drupal_render returns me an empty form (I check with dsm) and it's not replaced in the page
I also try to set a callback on my checkbox field and do a form_rebuild on the callback but doesn't work too... I really don't know how to do that
Do you have any idea of how to make this works ?
I have a long form that an user has to fill. After the user has clicked submit, I have to show a page with the information the user has filled in the form so that he can check that everything is correct before doing any further processing (i.e., he has to press another submit button or a back button if he detects an error).
Is there an easy way to do this? Is there a better way than creating a new form with hidden values equal to the values submitted in the previous form?
Would it be okay if I just store the information in a session variable and then process it if the user confirms?
You could skin that cat many ways, here's a couple of ideas:
Add a non-mapped confirm input (like a checkbox) to your form. On initial form render with no POST, hide the input. When you get a POST, show the checkbox input & some additional information (please review your data & check to confirm all is OK etc). Don't validate the form or save your data until the confirm input has been checked. You don't need to mess about with hidden fields, the one form will do the job for you.
Save the entity and give it a property e.g. isApproved, that way you can show the data easily & if the user needs to edit, re-use your form. When the user approves the information set isApproved to true. Don't perform any actions on any entities that have isApproved == false. Cons are you then have to manage an isApproved state for an entity.
I need the form to display a checkbox field, when the user selected an image for the upload in an image Form Field and make this required.
The User has to confirm, that he claims the rights on that picture.
I've already tried to make a custom Validator, but i think this won't work for that scenario.
Thank you
If i understood well, 2 solutions:
you do this via html with an . The user have to check this after uploading his picture. If you don't checked the box, it won't submit the form.
With a boolean in your entity, you set it to required=true and you will display it like any other field. But, the result in the database will always be true.. ( useless )
I needed to show some preexisting data from a table and but needed to disable them to prevent user from editing them. So i disabled them
$form -> getElement("elementname") -> setAttrib("disable", true);
When I submit the form, I found out, that the form element does not get submitted at all, just because it was disabled. I confirmed this when I tested removing the disable options.
What is happening? Am i doing something wrong? How to solve this?
This is by design, disabled elements do not get submitted with the form.
What you are doing is actually a null practice, no matter what you do to that form in put it will be editable by the end user. You simply cannot trust form input - even hidden fields - to not be tampered with.
Your best bet is to just display the information to the user and load it again after the form has been submitted; at worst store it in a session.
This worked like a charm for me.
It prevents the element from being edited and will pass it through the post.
$this->username->setAttrib('readonly', 'true');
I handle these type of scenarios using hidden elements. Add a hidden element with the same content that is there in your disabled element. When the form is posted, use the value from the hidden element.
But be cautious that the use can modify the value of the hidden element using Firebug or other tools before submitting the form. Always check the form values again before processing.
I have a simple form with several checkboxes. Now I need to prevent users to proceed with this form if more then 3 checkboxes are selected. How should this be done?
Prevent the user from proceeding in what fashion?
On general way would be to simply keep track of the number of check boxes checked within your checkbox check methods. In each check method, check your checkbox count variable and you can proceed from there how you want to prevent the user from interacting with your form.