Click here to get back home

receipt of form values by an HTML page
 HomeNewsGroups | Search | About
Login Password
Register Now!
 comp.infosystems.www.authoring.html    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
receipt of form values by an HTML page cartercc 10-10-2007
Get Chitika Premium
Posted by Scott Bryce on October 11, 2007, 11:42 am
Please log in for more thread options
 Chris Morris wrote:

> However, by storing the data correctly in the hidden fields, you can
> avoid having to revalidate it:

Not really.

> - serialise all the data you would put into the hidden
> fields into a single string.
> - one-way hash the data (e.g. sha1) with a secret salt.
> - place the serialised data into a hidden field, and the hash into another.
> (or add it on to the end of the serialised data in the same field)
> - when the form is submitted, recalculate the hash, and if it
> matches, unserialise the data (which you know is unchanged). If it doesn't
> match, reject the submission.

Which amounts to revalidating the data, albeit in a different manner.

> You then don't have to validate anything other than the new data and a
> single quick test for all the old data.

And you still need a way to handle a situation where the data from the
first form comes back different from the second form.

Your method is better than putting the data from the first from into
hidden fields with no way of knowing if the data had changed with the
submission of the second form. I would still prefer storing the data
from the first form on the server.

Posted by Chris Morris on October 11, 2007, 11:52 am
Please log in for more thread options
> Chris Morris wrote:
> > You then don't have to validate anything other than the new data and a
> > single quick test for all the old data.
>
> And you still need a way to handle a situation where the data from the
> first form comes back different from the second form.

Reject it outright, in that case; throw up an appropriate 40x
page. There's a difference between failing a validation check due to
user error (putting 15 instead of 1.5 in a field taking values from 0
to 10) and failing a validation check due to suspiciousness
(user-opaque hidden field gets edited)

> Your method is better than putting the data from the first from into
> hidden fields with no way of knowing if the data had changed with the
> submission of the second form. I would still prefer storing the data
> from the first form on the server.

You still need to store a pointer to the data on the client and have a
way to validate that, though. That is an even easier problem, of
course. I'd be inclined to store that pointer in a hidden field rather
than a cookie, too, since it makes XSRF harder.

I'd generally prefer to store temporary data in a multiple-stage form
on the client: less load on the database (if indeed there's a database
available at all), and no need to make decisions about how long a
session lasts before you clean up the server-stored data. Depends on
the form, of course, and even with client storage it's nice to provide
a way for them to save their progress and close the browser if they
need to.

--
Chris

Posted by cartercc on October 11, 2007, 4:03 pm
Please log in for more thread options
Thank you all very much. I've decided to bite the bullet and spend a
day recoding the app. This is what I'm going to do:

1. Collect the info from the first (new) HTML page and send it to the
CGI script.
2. Read the values into variables (not hidden from controls) to a new
CGI script, which will collect the remainder of the info.
3. From there, continue with the app as it exists.

I was trying to avoid rewriting the HTML form but it doesn't seem to
be possible. At least I can start by incorporating the relevant
portions as a heredoc in the new CGI script.

Thanks, all, CC



Posted by Scott Bryce on October 11, 2007, 5:15 pm
Please log in for more thread options
cartercc@gmail.com wrote:
> Thank you all very much. I've decided to bite the bullet and spend a
> day recoding the app. This is what I'm going to do:
>
> 1. Collect the info from the first (new) HTML page and send it to the
> CGI script.
> 2. Read the values into variables (not hidden from controls) to a new
> CGI script, which will collect the remainder of the info.

This question is off topic here, but I am wondering... How are going to
do this?

> 3. From there, continue with the app as it exists.
>
> I was trying to avoid rewriting the HTML form but it doesn't seem to
> be possible. At least I can start by incorporating the relevant
> portions as a heredoc in the new CGI script.

No! Please do yourself a favor and look at the HTML::Template and
HTML::Entities modules that I gave a link to in an earlier post. They
will save you a lot of headaches. Heredocs are a sloppy way to output
HTML from a Perl CGI script.

Posted by cartercc on October 12, 2007, 10:39 am
Please log in for more thread options
> This question is off topic here, but I am wondering... How are going to
> do this?

I currently have a form.html in my www directory that has an action
attribute of cgi-bi/insert.cgi. My insert.cgi has dispatch logic as
follows:

@errors = &validate;
if (@errors)
else {&insert_into_database; &send_success_email_to_user;}

I will change this to:

unless ($rest_of_info) #recalls insert.cgi on
submission
else {
@errors = &validate;
if (@errors)
else {&insert_into_database; &send_success_email_to_user;}
}

> No! Please do yourself a favor and look at the HTML::Template and
> HTML::Entities modules that I gave a link to in an earlier post. They
> will save you a lot of headaches. Heredocs are a sloppy way to output
> HTML from a Perl CGI script.

I've been looking at Catalyst, Ruby on Rails, and even some at Lisp. I
have used JSP with Struts and ColdFusion. I tend to stuff common code
in a library module and use a lot of heredocs. That way, HTML is HTML,
code is code, and (almost) everything is DRY. Personally, I do not
like to mix code and HTML and therefore have never used JSP, PHP or
ColdFusion much. Works for me.

Of course, real men code their CGI in C. ;-)

CC


Similar ThreadsPosted
Form Reload with Tainted Values April 28, 2008, 5:13 pm
User hits back button - has to enter form values from scratch January 31, 2008, 8:39 pm
sending hidden values AND option values at the same time ? September 12, 2006, 12:52 am
html contact form on front page January 19, 2007, 11:52 pm
Help with a Form page February 10, 2005, 7:49 am
Multiple Page Form September 8, 2004, 6:46 am
Re: print form value on the web page etc? January 23, 2008, 5:47 am
Forward to new page after competed form. September 17, 2004, 3:36 am
Validation of ASP.Net page - name attribute of form tag May 25, 2006, 10:14 am
How to keep
from re-submitting on page refresh...
 July 31, 2007, 2:49 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap