Reputation: 899
Sending the id via form
I have created a forum where people send questions and get answers like here. So that, when a user answers a question in a form that i created, i send the id of the question to another php file, to store the answer to the right place, as below.
<input type="text" value="<?php echo $id_of_question;?>" style="display:none;"/>
But i think this is not safer method to do that or there should be better ways to do it. So, my question is whether my method is good or safe? How can i do better? I think what i did above is lazy way:) Thanks
Upvotes: 0
Views: 69
Answers (6)
Reputation: 1811
There is no security issues as long as your checking the value on the other side. I would be at least be checking to see if the value is an int on the other side such as is_int($_GET['id']), you can go further to also check that it is a valid id but that would be expensive for your DB.
The reason it really isn't an issue is that theres a 99% chance the ID is in your URL anyway, so it's not like your giving out any secrets.
Upvotes: 1
Reputation: 271
you can use this also
<form name="form" action="formSubmitUrl.php?id=<?php echo $id ;?>">
<input type="hidden" name="id" value="<?php echo $id;" />
</form>
and u can check the post and get value of the form..
Upvotes: 0
Reputation: 1816
Well I think its better to use the hidden property rather than css.
<input type="hidden" value="<?php echo $id_of_question;?>" />
I have been using this in my websites for a long time. But yea there might be some better ways.
Upvotes: 0
Reputation: 167182
Not text but hidden:
<input type="hidden" value="<?php echo $id_of_question;?>" />
Upvotes: 0
Reputation: 943564
An input type="hidden" would make more sense, but that makes no practical difference as far as security is concerned.
While a user could change the value of the field, you just have to make sure that the value submitted is sane.
i.e. at the most basic level that it is for a question that exists.
If you have more complicated requirements (e.g. some questions may be closed and not accept new answers) then you need to change that the question is open as well.
There is no way to force the browser to submit a particular value. All your security must be enforced on the server.
Upvotes: 3
Reputation: 254926
There is nothing wrong with it, but use hidden instead:
<input type="hidden" name="question_id" value="<?php echo $id_of_question;?>" />
Upvotes: 4
Related Questions
- I am trying to send id through form but submit does not work
- how to send id with form in php
- Get HTML Form ID within PHP
- getting id from post request
- How to include the id in the submission of the form?
- How to send form and id with ajax
- Sending an ID with JavaScript
- Sending id through ajax forms
- Trying to send a html form identified by id using jquery
- PHP Form sending value from an id instead of value