I'm new to the Zend Framework and I have a problem to create an edit form with the Zend_Form.
My problem is that I need to store the entry ID during editing, I've seen some examples that are using a hidden form field, but a hidden field can be manipulated by a user.
So: how can I set a form field which gets populated by $form->populate($data); and is available after submiting the request but is not editabel/visible to the user in any way?
Thanks for any help!
I'm not sure if there's really a point in trying to hide the value.
Consider the following:
To display the correct editor form, you need the ID of the object that is to be edited.
Before allowing the user to edit a certain ID, you would check if the user can edit it or not.
Thus, if you put the ID in the form, it shouldn't really matter:
When you POST the edit form, you should again check that the user can still edit the ID.
If the user changes the hidden ID, it doesn't really matter. They could still go and edit the other ID by finding it on the site. (This is assuming your check didn't tell you the user does not have access)
what kind of data you wanna hide?
data should be in post or get.if you dont put your data in your form,then you will have to use GET which is less secure than POST.
If you have some data and you dont want the user to see those data,then you should not put those data in a form.you can store and retrieve hidden data using forms submitted values.lets suppose your hidden field is users password.you dont need to send password back to the client when client is editing the form.you can manipulate password in your controller according to the user`s submitted first name and last name.
If you still insist, you may wanna try encrypting data using ZF and echo ing your value and setting encrypted data into a hidden form element.
Zend_Form generates an HTML form element with the form elements you specify. So its element capabilities are narrowed to a simple HTML form.
The hidden form element is used to pass those data that the user is not supposed to enter by hand. But as you yourself said it, there is no guaranty it could not be tampered. so no security is provided by using a hidden form value.
Most of times you'd better use server side values (like stored in sessions) to reference to values that are to be protected from user.
I suggest you keep the ID in a session value, and then you could use the session key in the hidden form field. this way the user can not change the target ID. However you are not able to use the $form->populate($values) on this in one step. you would have to set the target value with other steps:
fetch data from the session
set the form element value with the fetched data
Related
I have a simple user registration form which needs to check if the email address already exists - it initially works when I hit the Submit button eg if I enter an existing mail address I get the error, but if I then modify the address to a non-existent one it takes one or two more submits before passing validation. So it seems there is some caching going on somewhere.
I have an isExistingUser function in an SSJS library which simply looks up to the $Users view in the Directory and returns a boolean. Then the XPage source is as follows:
<xp:validateExpression>
<xp:this.message><![CDATA[This user already exists!]]></xp:this.message>
<xp:this.expression><![CDATA[#{javascript:var em = getComponent("inputEM").getValue();return isExistingUser(em)}]]>
</xp:this.expression>
</xp:validateExpression>
How do I force this to work correctly on every submit ie clear any previous values from memory/cache? Many thanks
Use getComponent(“inputEM”).getSubmittedValue() - or even better: use the data source to get the contents of inputEM such as document.getValue(“inputEM”)
I have created a Google Survey and I want to be able to pass URL parameters into the survey so that I can track where responses are coming from. Ideally these URL parameters will be populated into the spreadsheet.
I have tried something like this:
https://docs.google.com/forms/d/HASH/viewform?src=MY_SOURCE&ref=MY_REF
However, this doesn't seem to be working.
Any help or comments appreciated!
There is no way to pass hidden information, but you can pre-fill form fields using URL parameters:
Open a form in Google Forms
In the top right, click More [...]
Choose Get pre-filled link
Fill in any answer fields you want to pre-populate
Click Submit
To send the pre-populated form to respondents, copy and send the link at the top
I came across this and decided to do the following.
Create a form
At the bottom add your own parameters (lets say user_id)
Click the triple dots on the top right to get a prefilled link
Fill the user_id parameter with user_id
Click Generate and copy the link (Bottom left)
Your link will look like this: https://docs.google.com/forms/d/e/1FAIplshiflshdlshdflkhlkb0Exboi5usdfsdf-f/viewform?entry.1370129364=user_id
In my case I wrote something that replaces {user_id} with the actual user id. The link looked like this: https://docs.google.com/forms/d/e/1FAIplshiflshdlshdflkhlkb0Exboi5usdfsdf-f/viewform?entry.1370129364={user_id}
I did a simple replace (e.g user_id = 123455) link looks like this https://docs.google.com/forms/d/e/1FAIplshiflshdlshdflkhlkb0Exboi5usdfsdf-f/viewform?entry.1370129364=123455 and clicking on it will fill the user_id in the form with 123455
Do this if you don't mind the users to be able to change the data (most of them don't).
I've wanted to pass through hidden information through a Google Form and came up with a little work around:
Create a new page/section (old vs new forms) on the form with the questions that you want filled. If you have multiple pages, make the hidden page the last for simiplicity.
Use the "continue to page" option on the last page/section you want visible to go to Submit.
Use the prefill tool to get the entry IDs and set up the link as you need.
When a user accesses the form through the pre-filled URL, the hidden data will be filled in on the hidden page and submitted with their other answers... Although it will be hidden from an EU standpoint.
I use this frequently for transferring data from one form to another. With the CopyDown addon to copy the formula after each form submit so that it builds the pre-fill URL, that when clicked, has just the essential questions (i.e. record number, name, etc.) to verify the info. Hit Next, then Submit!
Google Form is not allow you to pass information, you may consider use another method/flow in your system
Basically what I want to do is create a form whilst within another form and pass values from the earlier form to the second. Complicated I know but here is what I got.
#Do(#Command([Compose];"LPK"); #SetField("PR_Make"; PR_Make))
The fields in both forms have the same name and this code is called when first document is attempted to be saved.
I think instead of editing the field on the second form it just saves a field as itself instead. Any help appreciated.
The best and common way is to enable form property "Formulas inherit values from selected document" in second form "LPK".
Add a default value formula to second form's fields you want to inherit and put just the name of field itself in. For your example default value formula it would be
PR_Make
Make sure you save document first and then create the new document.
Knut Hermann's answwer is the 'standard' way of achieving such things but there are other methods- eg you can use environment variables ..
Something like:
#Environment("PR_Make") := PR_Make;
#Command([Compose];"LPK");
Then set the default value for PR_Make in your new form as ..
#Environment("PR_Make")
FYI Environment variables are written to the user's Notes.ini file and so remain even after Notes has been closed and re-opened. #Environemt doens't work too well with Web applications as it uses the server's notes.ini.
An alternative would be to use profile documents:
#SetProfileField( "PRDefaults"; "PR_Make" ; PR_Make;#Username);
#Command([Compose];"LPK");
.. in the default field for PR_Make on new form :
#GetProfileField( "PRDefaults"; "PR_Make"; #Username);
Profile documents are stored as a kind of hidden document in the Notes database and persist with the database. The last parameter sets a further subdivision by username so each user gets their own profile doc - a bit like a personal profile for "PRDefaults". You can miss this last parameter #Username out, to have one profile doc per database but there's a risk of two people trying to use it at the same time and clashing.
Profile docs also work with web applications.
Edit:
After receiving more information from DCoder, the phrase I was searching for here is a "mass assignment vulnerability." That is to say, taking advantage of the convenience of methods that would save all valid fields to the database, regardless of their presence on the initial form (making them vulnerable to manipulated POST data containing more [possibly more critical] fields than the intended ones).
The two common responses are then appropriately named whitelisting and blacklisting; whitelisting fields intended for modification, or blacklisting fields that should not be modified.
My question then follows: does CakePHP automatically whitelist only those fields in the submitting form, or is it necessary for me (and other Cake fans) to be careful that we are whitelisting or blacklisting appropriately?
Original Question:
Cake offers a lot of great ways to generate forms and handle them nearly automatically. As I was thinking about security, I got to wondering: is Cake aware of what fields existed in a form submitted, or will it simply accept any valid field? Take the following senario if I'm not making sense (and someone is welcome to edit my question to be better worded if they can think of a better way to express it):
Let's say I allow my users to edit their profile. I create a form which has fields for username, e-mail, and password, under the action edit.
A clever user wants to come in and change their is_admin field from false to true, so they use an app like firebug to submit custom post data to the edit action, which includes the field is_admin set to true.
The question is, would Cake realize on it's own that is_admin was not in the original form, or do I need to be careful to explicitly specify the only fields which fields a given action can modify? Is there an easier way?
Thank you!
James
You have to load the SecurityComponent in your controller(s) and CakePHP will prevent form tampering for you, see http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#form-tampering-prevention
CakePHP has built in validation option available. The Form automatically generate the fields and do validation based on the validation criteria you have mentioned in the model. This validation will be called automatically before the Save method.
Also if you want to add some custom validation, you can add that in the model.
With your specific query you can remove the is_admin field from the edit form so that it won't be editable to the user. If you want to add more security and make sure that the is_admin field has false value you can edit its value in the controllers edit method.
In the edit method you can add the following code before calling the Save action.
$this->request->data['ModelName']['is_admin] = false;
I am new to Drupal and trying to get hand on it.
I am not able to find how to have the following functionality on my site. If anyone can help me out, it would be great for me.
I need to have a form that will take 2 fields one of which is supposed to be the login id(how to retrive login id?). I need to store this and display in tabular form also on a new page. Lastly I want to provide an edit form for this functionality using the same form but its use will be like whenever a person adds value in this form, it checks in Table1, if entry is not present it adds in table, else it updates the table.
Apart from this I need to store all the updations in a seperate table or something like that, so that I am able to see the history of all the changes
Eg:
ADD Form:
Fields:
- LoginID
- Phone number
Show Table Page(Tabular with the stored information)
Edit Form(same as above form):
Fields:
- LoginID
- Phone number
Now If I add my phone number to this it will get stored. Later when I try to modify my number it should update in initial table but also store the history of old and new entry in a separate table so that I can perform varies options on it.
I also dont know how to add/enable form fields in drupal. :(
Thanks
I'm not entirely sure what you're asking, but I think the Computed Field module might be helpful. The module allows you to define custom hooks that run when a node is saved.
If you're not creating nodes and are using something like the Webform module, you should be able to write a module to process the data.