2

First of all, there is no code with me ... I'm gathering required data to start a project.

I will be having multiple <form>s on a website which are all linked to the same PHP page, say for example to send email or add data to DB.

Now, I can build the forms, and the PHP page to send mail or add data to DB. BUT here is the point I need to know about ... If any of the forms call the PHP page, how can I know which one did to act accordingly?

Also, is it better to do double-validation to the form? I mean, client-side then server-side?

Since we are talking about validation, is it better to be, on client-side, JS or JQuery (I can write both)? And about the DB thing, how can I secure it?!! I mean, how can I assure that the user won't enter a PHP code to mess things up and how I can detect it.

I know this seems to be like general question or a discussion, but you will be helping me a lot. And frankly, I've been using this website for around 3 yrs now, and you guys helped me pass my grad project with a great grade :) So I'm willing to find answers here :)

Thanks all.

sikas
  • 5,435
  • 28
  • 75
  • 120

3 Answers3

2

If you have multiple forms submitting to the same page, you can identify the forms by sending along a hidden data field, like:

<input type="hidden" name="form_name" value="001" />

Input validation should ALWAYS happen on the server. Client-side validation is nice for your users, but server-side is a must.

Validate user input before you do anything with it, escape when appropriate. Such as mysql_real_escape_string when you put stuff in a query, or use prepared statements.

Halcyon
  • 57,230
  • 10
  • 89
  • 128
2

You can use hidden fields in your form to denote which action should take place. You can also just include a parameter in the ACTION attribute of the form. Same result either way.

<form>
  <input type='hidden' name='mode' value='save'>
  <!-- More HTML --> 
</form>

<form>
  <input type='hidden' name='mode' value='delete'>
  <!-- More HTML --> 
</form>

For validation, server side validation comes first and then add client side validation to reduce server processing and reduce round trip times. People will appreciate responsive form designs. There are plenty of form validation tools available, just look at the Related links for this question.

For security, make sure you're using PDO or the Mysqli extension to create your queries. The golden rule is to escape your input and encode your output. You can use methods like htmlspecialchars() to encode your output. And make use of PHP's Filter methods. This will help you immensely - http://php.net/manual/en/book.filter.php. Also, it's usually better to whitelist rather than blacklist when working with validation.

JohnP
  • 49,507
  • 13
  • 108
  • 140
  • ok JohnP, can you tell me what is the difference between MySQLi and MySQL ... I've been using MySQL like forever and will be using it in the project and also upcoming ones. – sikas Jan 15 '12 at 10:55
  • It's the improved mysql library. If you're using PHP5, then it's highly recommended that you use this. It's written to take advantage of the new features in mysql and it's got some security improvements over the original extension - This question has some details - http://stackoverflow.com/questions/1171344/advantages-of-mysqli-over-mysql – JohnP Jan 15 '12 at 13:50
1

Have a hidden field in each to determine what the action is...

<input type="hidden" name="action" value="cart" />

OR 

<input type="hidden" name="action" value="purchase" />
craig1231
  • 3,769
  • 4
  • 31
  • 34