How to pass data from form without a form field? (PHP)

M

8

7

I have a form for editing a users name and email. So when it updates the name and email, it needs the username to identify which row it should update.

So i wanted to know if there is any element which is passed with the form but without showing the value or being editable in the input tag.

So i get the username from one script. The edit user script gets the name and email from the database with the specified username. Then it passes that new name and email with the username to another script which updates it.

Mark answered 23/4, 2011 at 14:24 Comment(0)

T

7

I believe you are looking for

 <input type='hidden' name='username' value='theusername' />

hidden - can only be seen in the source of your HTML document
name - where it will be in the $_REQUEST/$_POST/$_GET ($_POST or $_GET depending on how you are submitting your form) variable on submit
value - the username you want this form to relate to

PRO TIP: Have a way to tell who is trying to update users so you don't have unauthorized people updating your user information. It would be very easy for someone to change the username in the form and try to update someone else.

Taka answered 23/4, 2011 at 14:27 Comment(3)

thanks, that worked. And u mean to say that anyone can change the code while sending the form and change someone else's details. So can u tell me how to make it more secure? – Mark 23/4, 2011 at 14:40

@Arjun Bajaj: How do you currently identify/authenticate your users? There are lots of ways to make web applications more secure. The primary thing to keep in mind is to never implicitly trust client input. You'll want to make sure a user is authenticated before processing this request, and make sure (using whatever authorization mechanism you use, any roles or permissions system) that the user is authorized to perform this action. That latter bit leans a lot toward business logic, whereas the former is purely authentication. – Jeannettejeannie 23/4, 2011 at 14:47

Here is a tutorial I found, should start to give you a general idea: knowledgesutra.com/forums/topic/7887-php-simple-login-tutorial – Taka 23/4, 2011 at 15:30

M

4

You can use input type hidden

<input type="hidden" name = "username" value="<?php echo $username ?>">

Milled answered 23/4, 2011 at 14:27 Comment(0)

E

4

use an:

 <input type="hidden" />

HIDDEN is a TYPE attribute value to the INPUT element for FORMs. It indicates a form field that does not appear visibly in the document and that the user does not interact with. It can be used to transmit state information about the client or server. Hidden fields often store a default value (e.g.via php), or have their value changed by a JavaScript.

more here

Ethbin answered 23/4, 2011 at 14:27 Comment(0)

C

3

Use a hidden input tag:

<input type='hidden' name='username' value='theusername' />

Chiao answered 23/4, 2011 at 14:28 Comment(0)

J

3

You can use a hidden form field:

<input type="hidden" name="originalUsername" value="something" />

This won't render on the form in the browser and will likely be ignored and unnoticed by the user.

However, be aware that this is editable. Do not rely on this as a security measure. When the form is submitted, make sure that the user submitting the form (using whatever authentication and authorization mechanisms you have in place) is authorized to make this change before persisting it to the database. Any form field being submitted can be edited.

Jeannettejeannie answered 23/4, 2011 at 14:29 Comment(0)

L

3

As all the others stated you need a hidden input. It WILL be editable though, never trust it as you never trust any other data coming from outside.

But I'd like to add that it would be nicer not to use the username for identifying a row, add an ID column as a primary key instead to your database (possibly auto incremented), and use that in your form.

Something like

<input type="hidden" name="userid" value="<?=$userid?>" />

Like answered 23/4, 2011 at 14:31 Comment(0)

D

3

Arun, you can use GET to pass variables from one page to another page. Simply construct URLs as edituser.php?username=arun and so on. This is the only possible way to pass on variables or data, of course apart from cookies, to other pages w/out using form tags.
Second method is to use JavaScript to create a hidden form field and update it with username.
Third one is to simply add hidden input tags. But this and latter will require form tags.

A word of caution, filter user inputs, be JS, GET or hidden fields.

Doti answered 23/4, 2011 at 14:34 Comment(0)

A

2

Use this if you want to use it safely:

<input type='hidden' name='username' value='<?php echo encode("Please Encode Me!","This is a key"); ?>' />

wich will result into:

<input type='hidden' name='username' value='p3e4e4241674d2r4m4i5o464a4f2p3k5c2' />

and in the modification script you will have to use:

<?php $username = decode("p3e4e4241674d2r4m4i5o464a4f2p3k5c2","This is a key"); ?>

Below you have the PHP functions for the ENCODE/DECODE:

<?php

function encode($string,$key) {
    $key = sha1($key);
    $strLen = strlen($string);
    $keyLen = strlen($key);
    for ($i = 0; $i < $strLen; $i++) {
        $ordStr = ord(substr($string,$i,1));
        if ($j == $keyLen) { $j = 0; }
        $ordKey = ord(substr($key,$j,1));
        $j++;
        $hash .= strrev(base_convert(dechex($ordStr + $ordKey),16,36));
    }
    return $hash;
}

function decode($string,$key) {
    $key = sha1($key);
    $strLen = strlen($string);
    $keyLen = strlen($key);
    for ($i = 0; $i < $strLen; $i+=2) {
        $ordStr = hexdec(base_convert(strrev(substr($string,$i,2)),36,16));
        if ($j == $keyLen) { $j = 0; }
        $ordKey = ord(substr($key,$j,1));
        $j++;
        $hash .= chr($ordStr - $ordKey);
    }
    return $hash;
}

?>

Amaras answered 23/4, 2011 at 20:28 Comment(0)

Recommended topics

Hot tags