3

Lets say I have two input fields inside a form, like so.

<form class="my-form" method="POST" action="/my/receiver">
    <input id="input1" name="inputfield1" />
    <input id="input2" placeholder="More input" />

    <input type="submit" value="Submit form" />
</form>

If I am running a server that will listen to a form submission on that link, I know for a fact that #input1 will be sent to the server as data. However, since #input2 does not have a name, will this be sent to the server?

If you answer yes / no, is this standard HTML/HTTP behavior? Can I rely on this in a production application?

Note: I'm asking this question because I do not want some info sent from my form (due to security and liability reasons), and I want to ensure that it is not sent.

Brendan
  • 2,777
  • 1
  • 18
  • 33

1 Answers1

5

An input element with no name is never submitted to the server.

That said, <input> is probably the wrong tool for the job if you specifically don't want it sent.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • Do you have any recommended way to have something function exactly like an `input` element then? `textarea`s would not work, but I need input from the client. – Brendan Jun 29 '14 at 00:07
  • I'm afraid I don't understand. You need input from the client, but you don't actually want it sent? – Niet the Dark Absol Jun 29 '14 at 00:08
  • Well, I take the input, then it gets sent off to a third party service. I then get a new value which I want - I insert that via jQuery as an `input type="hidden`. However, I still have the rest of the inputs in the form, but don't want them sent. – Brendan Jun 29 '14 at 00:09
  • 1
    Perhaps you need two `
    ` elements then. One to send to the third-party service (I thought you said this was for security and liability reasons? Third-party thing really a good idea?) and a second form for actually sending to you.
     – Niet the Dark Absol Jun 29 '14 at 00:10
  • Two form elements sound like a good suggestion, thanks. Its for credit cards and I don't want to be liable for their storage.. its with Stripe. Great answer. – Brendan Jun 29 '14 at 07:28
  • 1
    Assuming you're using HTTPS (as you should be) then there's no harm in sending the details to your server, if all you're doing is discarding them afterwards. But, two forms will make your web requests tidier, and any suspicious person looking at the Network tab of their dev tools will see clearly whether or not you get the info sent to you. :) – Niet the Dark Absol Jun 29 '14 at 09:55