UGN Security
Posted By: Testing Forms - 09/27/05 01:05 AM
Ok, so in my quest to be "MR PHP" I just finished the chapter on form validation. The chapter was easy and makes plenty of sense. All pretty straight forward. however while surfing around finding info on forms it appears to be a huge subject.

Apparently there are all friggin kind of forms to make and a million different ways to do it. Are forms an entire section worth focusing on within HTML. I can use dreamweaver and yes edit basic code manually but im no way an html guru. So I guess I should ask instead how large is the issue of forms?
Posted By: §intå× Re: Forms - 09/27/05 02:26 AM
Forms are easy. HTML forms are easy enough. Basicaly it is like this

Now I do not know what you know verses do not know so I will cover it all.

POST vs GET

Get - variables are in the URL going to the script processing forum.

Post - variables are not chown in the URL However variables migh be easily passed still using the URL, be sure to guard against this.


Code
  
<form action="http://URL_to_you_form_processing_script.php" Method="POST">

<!--
drop down menu
//-->
     <select name="my_first_var">
          <option value="option 1">option 1</option>
          <option value="option 2">option 2<option>
     </select>


<!--
text input
//-->
Login:

<input type="text" name="login">




<!--
password input
//-->
Password:
<input type="password" name="psswd">



<!--
text area (large amounts of test like the BBS input fields here)
//-->
<textarea name="my_text_area"></textarea>




<!--
submit button
//-->
<input type="submit" name="my submit button">
Once submited the variables will be sent to

http://URL_to_you_form_processing_script.php

all the name="" will be your variables

See below

Code
$my_first_var =// this will be either "option 1" or "option 2"

$login = //whatever the user typed in for a login name.

$password = //whatever the user typed in for a password

$my_text_area = //lots and lots of text the user typed in
Now you can mix this with Javascript, vb script, DHTML and all sorts of stuff. I recomend to start stick with basic forms. They will work with all browsers, people understand how to use them, and it will help you get a better grasp on the PHP side. Trust me, when starting any script keep it simple at first till you have the PHP portions perfect, then tweek your HTML/XML/XHTML/CSS/Javascript/VB script.

All the html and other crap is for dissplay. It is just a way to put a dress and makeup on your data. You want to focus on using the data first. Focus on the PHP and use the basic HTML crap for now. Once you get PHP perfected, the HTML will take care of itself as you look to broaden your apps capabilites and style.


Once you have the data I recomend replacing some charaters..

Code
 
//replace < with  &#60;
$my_text_area = str_replace("<", "&#60;", "$my_text_area");

/*
the above code will read through everything the 
user submited in the textarea up top using the var
 "$my_text_area"  It will find each "<" and 
replace it with &#60; which will dissplay "<" in 
html but will break and tag based code the user 
tryed to submit.
*/


//replace " with   &#34;
$my_text_area = str_replace("\"", "&#34;", "$my_text_area");

/*
quotes can cause script problems.  There is 
something called magic quotes in PHP but we do not
 know if everyone has this enabled so we play it 
safe and make our script universal.  You have to 
escape quotes to use them.  We escape charaters 
with the "\" backslash.  For example the "$" is 
used to denote a variable.  So to echo it out to 
the browser...
*/

echo "\$29.95"; // will dissplay "$29.95";



//replace % with &#37;
$my_text_area = str_replace("%", "&#37;", "$my_text_area");


//replace @ with &#64;
$my_text_area = str_replace("@", "&#64;", "$my_text_area");



//replace @ with &#123;
$my_text_area = str_replace("{", "&#123;", "$my_text_area");
Posted By: Gremelin Re: Forms - 09/27/05 03:03 AM
Learner, you need to learn XHTML validation damnit...

BAD:
Code

<hr>
<input type="text" name="name">
GOOD:
Code

<hr />
<input type="text" name="name" />
Any tag that OPENS must CLOSE...
Posted By: Gremelin Re: Forms - 09/27/05 03:05 AM
Oh, and if you want a good form check out the "contact us" page on the main UGN Security site.
Posted By: §intå× Re: Forms - 09/27/05 03:15 AM
I did not use XHTML, I used HTML as it works, requires less thought and will work from "EVERY browser"
Posted By: Gremelin Re: Forms - 09/27/05 03:29 AM
Show me a browser that does not support XHTML and I'll show you an old piece of [censored] that shouldn't be used...

Besides, XHTML is so easy it's stupid, I mean the only real differance of "Valid XHTML" compared to "Valid HTML" is that "every tag that opens must close"... Common sense in the first place no?
Posted By: §intå× Re: Forms - 09/27/05 10:57 AM
When learning a new language I find it is easiest to take away all bells and whistle from other languages and focus on the one I am learning. HTML is easier as it is more forgiving. The man is asking about forms... XHTML is easy to pick up, but when giving demos, I use HTML as it is like I say, more forgiving.

Put in a doctype tage have a few tags without the "/" and you might think your PHP is [censored] if you are new. We can sit here and argue XHTML vs HTML VS XML vs MSXML vs Who_give_a_fuck_ML. The fact is XHTML and HTML are pretty much the same [censored].

The tags are the same accept you have more slashes with XHTML. The end result is displaying your data in a neat tidy fashion. So Testing/Loan choose HTML or XHTML or whatever. The examples above still work with forms.


For a good tut on forms...

http://webmonkey.wired.com/webmonkey/99/30/index4a.html

That will have you up and running in no time. It does not talk about PHP, but covers HTML forms very nicely. If you want to drive yourself crazy as gizmo would have you do with slash fever just make sure every tag has a closing tag. If there is not closing tag the slash goes at the end of the opening tag.

Code
  //HTML


<br/> //XHTML
And Gizmo... We were using Netscape 4.7 up till last year at Verizon. No XHTML support, there are compaines who have not upgraded thier software.
Posted By: Testing Re: Forms - 09/28/05 07:36 AM
Sintax/Learner Thanks for the link. I pretty much have forms down now. All in all its much more basic then I thought. Don't get me wrong,, I'm sure there are some pretty radical looking forms out there but in the end it seems they all follow the same rules.

Thanks again for the link.
© UGN Security Forum