PDA

View Full Version : form location

FrEaKmAn
May 9th, 2008, 02:39 PM
Hello,

I have a form which action is set to another url (form.site.com/something). I like the idea of doing this, because if everything is on one page and after we submit something and we want to refresh, we get a warning about resubmitting data...

So after I submit data to form... I redirect back to page where I want. But what if there is something wrong, like input is incorrect. Of course I will use ajax for checking this but some people still don't have compatible browsers or they just deny javascript. I did store warnings in sessions, which then show on the submit page, but is this safe? I stored my custom messages which are hopefully secure from sql injection, but would be wise to save user submitted data?
Buzz
May 9th, 2008, 09:02 PM
You don't need another domain or subdomain. All you need are 2 pages. One to process the form and one for the UI. You'll get the same warning. The warning does not show up with the form is all 1 page. As long as you have 2 pages you'll see it. Sending post data across a URL is a bigger security risk than your session messages.

SQL injection is more about what you do with the data and how you clean it before it hits any database. What any user puts in a form field should not matter with a well constructed back end processor. You can always strip tags and html entities which will keep the DB secure.
FrEaKmAn
May 9th, 2008, 09:39 PM
well my system it's a little bit more complicated

I use subdomain because of my main system. My site will support more languages, also links will be modified for this, example:

artist/1/somename-of-artist - english
si/izvajalec/1/somename-of-artist - slovenian language

To save time and because everything is hardcoded, I stored this is an array (I should show you my script). Now for every form I should add more and more options to array and then use switch to locate what do to and how + I have other things that are executed. So the point is that for forms I use another, simplified system.

Now I share session data with:

php_value session.cookie_domain .domain.com


and I don't have any problems. So again, I used subdomain where I have sumplified version of my system, basically one switch where I compare variables, which are all in english... which I also use in form...

if you gonna have some time, I would like to show you my idea, and then you can suggest me if I stick with it or rewrite everything...