Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,127
    Thanks
    27
    Thanked 0 Times in 0 Posts

    Submit more than one Form at a time??

    If a web page has multiple - yet separate - Forms on it, is there any way a user (or hacker) could submit more than one Form at a time??

    I ask this, because I have a separate Form beneath each User Comment where others can give the Comment a rating.

    I want to be sure that the contents of the $_POST array are pure, and only contain values from *one* of the Forms.

    Sincerely,


    Debbie

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,650
    Thanks
    80
    Thanked 4,636 Times in 4,598 Posts
    Then why not have all comments in a single <form> and use JavaScript to be sure only one actually contains data?

    Even better: As soon as your JS code detects that the user has entered ANYTHING into one of the comments, it disables all the other comment <textarea>s.

    As for a hacker (or a person who turns off JavaScript): Trivial in the PHP code to ignore all but the first comment in the POST data. Or to ignore the post completely if more than one comment is present.

    Methinks you are over-thinking this.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,650
    Thanks
    80
    Thanked 4,636 Times in 4,598 Posts
    As for your current methodology: A hacker could trivially submit *ANYTHING* to you without regard to your <form>s. You don't need a browser to simulate posting of <form> data.

    If you allow non-registered users to post comments, you are in for trouble no matter what you do.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,127
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Old Pedant,

    I see you didn't die after all...


    As far as your comments, me thinks your calling is databases!

    Sincerely,


    Debbie

  • #5
    Senior Coder
    Join Date
    Sep 2010
    Posts
    2,451
    Thanks
    17
    Thanked 275 Times in 275 Posts
    Me thinks Old Pedant's calling is the use of common sense in coding, having observed his posts for several years. And perhaps patience in explaination.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #6
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,127
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by DrDOS View Post
    Me thinks Old Pedant's calling is the use of common sense in coding, having observed his posts for several years. And perhaps patience in explaination.
    Assuming never helps...

    Neither does recommending use of JavaScript.

    But when I need database help, Old Pedant certainly can hold his own.


    Debbie

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,650
    Thanks
    80
    Thanked 4,636 Times in 4,598 Posts
    But if your PHP code checks for multiple comments being submitted and rejects the POST (or accepts only the first comment) then all the JavaScript is doing is enhancing the user experience. Again, you are overthinking this if you have multiple <form>s.

    Having said that: A browser user can't submit more than one <form> per page unless you have a target=xxx in your <form> (e.g., you use a <frame> as a target for the form posting). But there's not much you can do to prevent hackers from multi-posting if you don't insist on only registered users being able to post.

    One more time: you are over-thinking this.

    And if you won't learn to use JavaScript, your pages will never be as modern and user-friendly and and and as they should be.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #8
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,650
    Thanks
    80
    Thanked 4,636 Times in 4,598 Posts
    Quote Originally Posted by doubledee View Post
    Old Pedant,

    I see you didn't die after all...
    See here:
    http://www.codingforums.com/active-m...ittle-bit.html

    No, but it was pretty much a close thing for a while. The nurses were whispering about hospice to my wife.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #9
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,127
    Thanks
    27
    Thanked 0 Times in 0 Posts
    *sigh*

    Quote Originally Posted by Old Pedant View Post
    But if your PHP code checks for multiple comments being submitted and rejects the POST (or accepts only the first comment) then all the JavaScript is doing is enhancing the user experience. Again, you are overthinking this if you have multiple <form>s.

    1.) There is NO JavaScript on my website.

    2.) A user may only submit ONE COMMENT REVIEW at a time. (This is a key concept.) Each Comment will have how ever many questions (e.g. Was the comment helpful?) and - at this point - one Form associated with it. A Reviewer may certainly go through and review every Comment beneath a given Article, but they have to do it one at a time.

    The goal is not to promote "assembly-line" behavior, but rather to give people a way to give feedback on really good or really crappy Comments.

    That is why I chose to wrap each Comment in a Form.


    Quote Originally Posted by Old Pedant View Post
    Having said that: A browser user can't submit more than one <form> per page unless you have a target=xxx in your <form> (e.g., you use a <frame> as a target for the form posting). But there's not much you can do to prevent hackers from multi-posting if you don't insist on only registered users being able to post.
    I only allow "Registered Members" to post a Comment.

    I only allow "Registered Members" to "review" a Comment.

    My PHP will check the database to ensure that there is only 1 Review per Member per Comment.

    Of course!!!


    As far as your other comments above, I would *assume* that a user cannot submit more than one Form per click, but then again, there is probably some way to hack things?!


    Quote Originally Posted by Old Pedant View Post
    One more time: you are over-thinking this.

    And if you won't learn to use JavaScript, your pages will never be as modern and user-friendly and and and as they should be.
    First of all, you haven't seen my website, so do't be so sure of that...

    Secondly, I am NOT learning JavaScript weeks before I go live on this version, so that discussion is not on the table.

    Sincerely,


    Debbie

  • #10
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,127
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Old Pedant View Post
    See here:
    http://www.codingforums.com/active-m...ittle-bit.html

    No, but it was pretty much a close thing for a while. The nurses were whispering about hospice to my wife.
    I figured something bad happened.

    Glad you are back.

    I will keep you in my prayers!!

    Sincerely,


    Debbie


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •