I'm building a reservation system where the user first selects how many persons, and then depending on that selection, ajax will populate the respective number of text input fields to get the name of the guests.
So my stripped down text input structure is such:
<input type="text" name="name[]" value="<?php echo set_value('name[]');?>"/>
<input type="text" name="name[]" value="<?php echo set_value('name[]');?>"/>
<input type="text" name="name[]" value="<?php echo set_value('name[]');?>"/>
And on my controller, the validate function is such:
$this->load->library('form_validation');
$this->form_validation->set_rules('name[]', 'Name', 'required|xss_clean');
So the thing that isn't working right is on submit, if I only entered a name on input 1, on the validated page, the errors will show for every input, at the same time, every input will have the same name i entered for input #1.
What am I doing wrong here ?
Just do it manually
$errors = "";
foreach($name as $n){
if(!$n){
$errors .= "Please fill in all names fields";
}
}
Related
I have some problem with XSS scan on sitelock. They said that some of URL from html input form is vulnerable. They said each parameters which I sent through the form was vulnerable. In this case the vulnerability is from Paypal input form. I build my website with Paypal redirect so the user will input their own data into the form and the system will send it to paypal. This is the example of my form code:
<div class="col-md-5">
<input type="text" class="form-control" name="L_PAYMENTREQUEST_FIRSTNAME" id="L_PAYMENTREQUEST_FIRSTNAME" value="<?=$_SESSION['post_value']['shipping_first_name']?>" readonly="readonly">
</div>
<input type="hidden" name="billing_first_name" value="<?=$_POST['billing_first_name']?>">
<input type="hidden" name="billing_last_name" value="<?=$_POST['billing_last_name']?>">
<input type="hidden" name="billing_email" value="<?=$_POST['billing_email']?>">
<input type="hidden" name="billing_phone" value="<?=$_POST['billing_phone']?>">
<input type="hidden" name="billing_address" value="<?=$_POST['billing_address']?>">
<input type="hidden" name="billing_city" value="<?=$_POST['billing_city']?>">
<input type="hidden" name="billing_postcode" value="<?=$_POST['billing_postcode']?>">
<input type="hidden" name="billing_state" value="<?=$_POST['billing_state']?>">
That is some part of my form. What I want to know is whats wrong with that form and how to prevent Sitelock to scan XSS vulnerability ? Please anyone knows could help me.
I would also recommend using the HTTP header.
X-XSS-Protection: 1; mode=block
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
you probably dont check/nullify the data you are getting in the input fields
and by typing <script>alert('hacked')</script> in billing_address field
on next page where you print the billing_address you will get a popup window calling hacked
On the page that process your form you should validate that input fields doesn't have any javascript code.
for example
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["website"]);
$comment = test_input($_POST["comment"]);
$gender = test_input($_POST["gender"]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
you need to create a function like test_input and run for all your input fields
I would like to create a requirement that if nothing is selected from a drop down field in my contact form that a message will come up saying "Please choose", and the form will not be able to be submitted unless something is chosen. I have gotten requirements to work on all of my text input forms, but cannot figure out how to create one for the drop down field.
The drop down HTML looks like this:
<div class='container'>
<label for='destemail' > Which department are you trying to reach?*</br> You must select a department.</label></br>
<select name="destemail" id="destemail">
<?php foreach ($emailAddresses as $name => $email) { ?>
<option value="<?php echo htmlspecialchars($name); ?>"><?php echo htmlspecialchars($name) ; ?></option>
<?php } ?></select>
<span id='contactus_destemail_errorloc' class='error'></span>
</div>
I got the other form requirements to work like so:
The HTML -
<div class='container'>
<label for='name' >Your Full Name*: </label><br/>
<input type='text' name='name' id='name' value='<?php echo $formproc->SafeDisplay('name') ?>' maxlength="50" /><br/>
<span id='contactus_name_errorloc' class='error'></span>
</div>
The Javascript -
<script type='text/javascript'>
<![CDATA[
var frmvalidator = new Validator("contactus");
frmvalidator.EnableOnPageErrorDisplay();
frmvalidator.EnableMsgsTogether();
frmvalidator.addValidation("name","req","Please provide your name");
</script>
The PHP -
//name validations
if(empty($_POST['name']))
{
$this->add_error("Please provide your name");
$ret = false;
}
I tried the exact same coding for the drop down but with the different id names where appropriate, and it didn't work. Why doesn't this same method work for the drop down?
Help much appreciated!
I can't see what the Validator() code is doing, but you can just check to see whether the select field is empty using Javascript or jQuery.
jQuery way:
if( !$('#destemail').val() ) {
alert('Empty');
}
The problem may lie in that your select box actually does have a value, which is whatever the first value printed out in it is. The Validation function may be checking for any value, and since the select does have one, it returns as valid.
You could set up a default value to show first, something like "Please select a Department", and then do the jquery/javascript check for that text. If it exists, then you know an option has not been selected.
My policyInfoAction redirects my form to clientInfoAction. It stores the empty field errors and then validates the fields in the session variables and redirects it to the client-info page if it contains errors.
It works fine. But the problem is the next time I hit the /client-info page in a new tab it shows the form values in the fields. I have to hit the refresh page to clear it out. I do not want it to display cached data when I open the link in a new tab. What should I do?
public function clientInfoAction(){
//If there are some errors and some valid fields, display the valid fields
$client=$this->session->client;
$state=$this->session->state;
unset($this->session->client, $this->session->state); // delete from the
// assign the values to the view
$this->view->client = $client;
$this->view->state = $state;
}
Here is my view:
<form action ="/pdp/policy-info/" method='post'">
<label for="client_name">Client Name: </label>
<input type="text" name="client_name" id="client_name">
<?php if (!empty($this->client_error)) echo "<font size='2' color ='#C11B17'>".$this->client_error."</font>"; ?>
<br><br>
<label for="state">State: </label>
<select name="state" id='state'>
<option id='state' value="" selected="selected"></option>
i want to use zend_form to validate and filter the POST data,and some form fields are disabled element,
but when i use $form->isValid($post) filtering the data and use $form->getValues() to get the filtered data, it returns all the elements value (including the disabled elements value which i don't want).
such as :
<form method="post" action="">
<input type="text" disabled="disabled" name="account_id" value="123456">
<input type="text" name="name" value="">
<input type="text" name="email" value="">
<input type="text" disabled="disabled" name="created_date" value="2011-06-12">
<input type="text" disabled="disabled" name="created_by" value="admin">
<input type="submit">
</form>
so is there any way to get rid of the disables elements value ?
(because there are many fields and disabled elements ,so i don't want to trim them manually)
thanks!
This is some sort of a hack. We get all elements and iterate through it. When we see an element is disabled we can skip.
$somearray = array();
$elements = $form->getElements();
foreach ($elements as $key => $element) {
//echo $key;
if( $element->disabled ) {
continue;
}
$somearray[$key] = $element->getValue();
}
Hope this helps, or you can hack on it ;) .
It looks like this is not a bug, but an accepted workflow for validating forms. see this: http://framework.zend.com/issues/browse/ZF-6909
it looks like the accepted solution/trick is to use
$form->isValidPartial($this->getRequest()->getPost())
instead of
$form->isValid($this->getRequest()->getPost())
isValidPartial only tests the form fields that are present in the post. disabled elements should not end up posted.
I'm getting to grips with Zend_Form and can create a form to add/edit a single database record, but now I'm trying to create a form to edit multiple records on a single page. For example, if I had a table of sports teams, and another table of players assigned to them teams I would want to be able to click on a team on my site and have all the players listed as rows with inputs to edit their names, date of births etc., with one submit button at the bottom to save any changes.
One thing to note is that there are a variable number of records that could be edited on a page; it is not a set amount.
Any pointers/help would be very much appreciated.
Thanks.
I use the code below to delete multiple items from the database.
On the index page (list of my database records):
<form method="post" action="<?php echo $this->baseUrl().'/admin/pages/deleteMultiple'; ?>">
<td class="checkboxTable"><input name="remove[<?php echo $data[$row]->id; ?>]" type="checkbox" id="checkbox[]" value="<?php echo $data[$row]->id; ?>"/></td>
<input class="deleteMultipleButtonBottom" name="deleteMultiple" type="submit" id="deleteMultiple" value="<?php echo $this->translate('Delete selected'); ?>">
</form>
The user sees a confirmation page:
<form method="post">
<input type="hidden" name="removeId" value="<?php echo implode($_POST['remove'], ','); ?>" />
<input class="deleteYes" type="submit" name="deleteMultiple" value="Yes" />
<input class="deleteNo" type="submit" name="deleteMultiple" value="No" />
</form>
And my action looks like this:
if($this->getRequest()->isPost())
{
if($this->getRequest()->isPost('remove'))
{
$this->view->pages = $this->pagesService->GetPages($this->getRequest()->getPost('remove'));
if($this->getRequest()->getPost('deleteMultiple') == 'Yes')
{
$this->pagesService->DeleteMultiplePages($this->getRequest()->getPost('removeId'), $this->view->user->username, $this->getRequest()->getPost('countedItems'));
}
elseif($this->getRequest()->getPost('deleteMultiple') == 'No')
{
$this->_helper->flashMessenger(array('message' => $this->view->translate('The pages were <u>not</u> deleted'), 'status' => 'notice'));
$this->_helper->redirectToIndex();
}
}
}
And in my service page:
public function DeleteMultiplePages($id)
{
$this->pages->delete('id IN (' . $id . ')');
}
This approach should work for updating values.