I'm developing an online store website which has several products and user can submit comment for each single product.
So when the user opens a product webpage, they can submit their comments via comment form. In order to do that I've put a hidden input in the comment form which holds the id of the product however, it can be easily manipulated.
I've search a lot and I know that you can never trust data sent by the clients but I suppose there must be a way to make sure that the comment sent is exactly for the product the user is seeing right now. Because user can see a product on the website and change the product id in the hidden input of the comment form and submit it to the server.
Please help.
Thanks in advance.
Related
Here's what I'd like to do but not sure how to. I have a form that's like a typical doctor/school form, where the form has 2 sections: [1] Section 1 at the top is for user (with standard fields like First Name, Last Name etc.), and [2] Section 2 at the bottom is for Admin/Office use only (with fields like Reviewed by, Approved/Not Approved etc.)
what I was able to do is to process Section 1 where I got ALL users' submission and display all their data on a webpage using a RepeaterWithCustomQuery. That's pretty basic. But in order to do what described above, I guess that I'll need to pull the submitted data and populate them back to Section 1 of the form (maybe as readonly data at this time) and then the Office/Admin staff can fill in Section 2.
I hope I made sense and hope that someone can point me to the right direction. I only use Portal Engine, no access to file system or backend.
I think I understand your issue you want to have some sort of an editor for biz form data. Similar to what you have in the admin. And the problem is that you don't have access to backend. :( Such thing is available for custom table data (there is web part), but not for biz form data. There is no ready to use web part. Here is old topic on that https://devnet.kentico.com/questions/how-to-edit-the-information-of-a-record-using-the-bizform-layout.
you want to have something like the admin page for editing form records:
/CMSModules/BizForms/Tools/BizForm_Edit_EditRecord.aspx?formID=7&formRecordID=1
but customized :(. I'd say without back end access the only options I see:
Create a new role "Biz Form Editor" (or use existing) that has rights only to edit biz
form data. So all your people who do "validation" part must have a
Kentico account with role "Biz Form Editor".
Add link above to your repeater with appropriate record id.
P.S. There are special code names for alternative forms (https://docs.kentico.com/k8/configuring-kentico/creating-alternative-forms/code-names-of-automatically-used-alternative-forms). If you create an alternative form with special name update the system will automatically load it when you edit the record.
Not sure that I understood correctly your question. But what you need is to use alternative forms. So the idea is that one form is for "registration" and the 2nd one for "validation".
So in your registration form you show only firstName, lastName etc and you don't show "validation" fields. In the validation form you show firstName, lastname etc as label and show textboxes for validation fields.
I want to make a website that will allow the user to input the zipcode in which they are looking for houses and that will notify me of what their search criteria is (such as homes for $250K in the ##### zip code). What would be the best way to start this project?
You could create a form which would ask for the user to fill in their details and when they submit you receive an email with their details.
You can look into simple bootstrap form and use PHP to implement it
Have a look at this example
Simple Form Example
You could create a form that gives price range option.
-$50,000-$100,000
-$100,000-$150,000
-$150,000-$200,000
-$200,000-$250,000
-$250,000-$300,000
-$300,000+
Then create an input field with validation applied that checks for a certain amount of characters and that the input is integers to help with span.
Finally a submit button that you can set up to email you the results or if you are working with a database you can send it there and monitor it or create a page that displays the requests you get. The email structure would be pretty easy to set up.
This can all be done with simple php and html.
I have created a Google Survey and I want to be able to pass URL parameters into the survey so that I can track where responses are coming from. Ideally these URL parameters will be populated into the spreadsheet.
I have tried something like this:
https://docs.google.com/forms/d/HASH/viewform?src=MY_SOURCE&ref=MY_REF
However, this doesn't seem to be working.
Any help or comments appreciated!
There is no way to pass hidden information, but you can pre-fill form fields using URL parameters:
Open a form in Google Forms
In the top right, click More [...]
Choose Get pre-filled link
Fill in any answer fields you want to pre-populate
Click Submit
To send the pre-populated form to respondents, copy and send the link at the top
I came across this and decided to do the following.
Create a form
At the bottom add your own parameters (lets say user_id)
Click the triple dots on the top right to get a prefilled link
Fill the user_id parameter with user_id
Click Generate and copy the link (Bottom left)
Your link will look like this: https://docs.google.com/forms/d/e/1FAIplshiflshdlshdflkhlkb0Exboi5usdfsdf-f/viewform?entry.1370129364=user_id
In my case I wrote something that replaces {user_id} with the actual user id. The link looked like this: https://docs.google.com/forms/d/e/1FAIplshiflshdlshdflkhlkb0Exboi5usdfsdf-f/viewform?entry.1370129364={user_id}
I did a simple replace (e.g user_id = 123455) link looks like this https://docs.google.com/forms/d/e/1FAIplshiflshdlshdflkhlkb0Exboi5usdfsdf-f/viewform?entry.1370129364=123455 and clicking on it will fill the user_id in the form with 123455
Do this if you don't mind the users to be able to change the data (most of them don't).
I've wanted to pass through hidden information through a Google Form and came up with a little work around:
Create a new page/section (old vs new forms) on the form with the questions that you want filled. If you have multiple pages, make the hidden page the last for simiplicity.
Use the "continue to page" option on the last page/section you want visible to go to Submit.
Use the prefill tool to get the entry IDs and set up the link as you need.
When a user accesses the form through the pre-filled URL, the hidden data will be filled in on the hidden page and submitted with their other answers... Although it will be hidden from an EU standpoint.
I use this frequently for transferring data from one form to another. With the CopyDown addon to copy the formula after each form submit so that it builds the pre-fill URL, that when clicked, has just the essential questions (i.e. record number, name, etc.) to verify the info. Hit Next, then Submit!
Google Form is not allow you to pass information, you may consider use another method/flow in your system
I'm new to the Zend Framework and I have a problem to create an edit form with the Zend_Form.
My problem is that I need to store the entry ID during editing, I've seen some examples that are using a hidden form field, but a hidden field can be manipulated by a user.
So: how can I set a form field which gets populated by $form->populate($data); and is available after submiting the request but is not editabel/visible to the user in any way?
Thanks for any help!
I'm not sure if there's really a point in trying to hide the value.
Consider the following:
To display the correct editor form, you need the ID of the object that is to be edited.
Before allowing the user to edit a certain ID, you would check if the user can edit it or not.
Thus, if you put the ID in the form, it shouldn't really matter:
When you POST the edit form, you should again check that the user can still edit the ID.
If the user changes the hidden ID, it doesn't really matter. They could still go and edit the other ID by finding it on the site. (This is assuming your check didn't tell you the user does not have access)
what kind of data you wanna hide?
data should be in post or get.if you dont put your data in your form,then you will have to use GET which is less secure than POST.
If you have some data and you dont want the user to see those data,then you should not put those data in a form.you can store and retrieve hidden data using forms submitted values.lets suppose your hidden field is users password.you dont need to send password back to the client when client is editing the form.you can manipulate password in your controller according to the user`s submitted first name and last name.
If you still insist, you may wanna try encrypting data using ZF and echo ing your value and setting encrypted data into a hidden form element.
Zend_Form generates an HTML form element with the form elements you specify. So its element capabilities are narrowed to a simple HTML form.
The hidden form element is used to pass those data that the user is not supposed to enter by hand. But as you yourself said it, there is no guaranty it could not be tampered. so no security is provided by using a hidden form value.
Most of times you'd better use server side values (like stored in sessions) to reference to values that are to be protected from user.
I suggest you keep the ID in a session value, and then you could use the session key in the hidden form field. this way the user can not change the target ID. However you are not able to use the $form->populate($values) on this in one step. you would have to set the target value with other steps:
fetch data from the session
set the form element value with the fetched data
I have a database of clients. Before entering a new client, I want to make sure that that client is not already in the database. So I want to put a search form at the top of my page to search by client number, and client name. Further down the page, I'll have another form to enter and submit the client's information. Would this be the best way to go about something like this? How would you approach this? i'm using drupal 6.
It is better that when the user is inserting a new customer name, an autocomplete shows the names matching the characters inserted by the user; if the user wrote "Mic", and in the database there is a customer with the name "Michael Greenpeace", the autocomplete will show "Michael Greenpeace", and the user will understand there is already a record for that customer.
Even without the autocomplete (which would help the user to understand if the data for the customer has been already inserted in the database, and continue with the next customer), a user that inserted the name of an existing customer should see the existing data; this would help the user to avoid rewriting data that are already updated (customer information need to be updated, sometimes, and not only inserted).