«

hello guys,

I've got a curiosity...

If I want to do a form with plain HTML and a scripting server-side
(such as php) I'd write something like this:

<form name="input" action="plain_html_form.php" method="post" >
Username:
<input type="text" name="user"> <br />
Email:
<input type="text" name="email"> <br />

<input type="submit" value="Submit"> <br />
</form>

and then from php I'll get the parameters as $_POST['user'] and
$_POST['email'] and that's alright...


BUT, if instead, I want to check the parameters before to send them to
the server, as I usually I do, I would use javascript...

With javascript I usually check if the fields are filled up correctly
and then I let javascript send them to the server, so I don't use the
form tag becuase I don't need it.

Is this method wrong?

Are there any downside I don't know?

thank you in advance,

Andrea

^AndreA^ wrote:
> hello guys,
>
> I've got a curiosity...
>
> If I want to do a form with plain HTML and a scripting server-side
> (such as php) I'd write something like this:
>
> <form name="input" action="plain_html_form.php" method="post" >
> Username:
> <input type="text" name="user"> <br />
> Email:
> <input type="text" name="email"> <br />
>
> <input type="submit" value="Submit"> <br />
> </form>
>
> and then from php I'll get the parameters as $_POST['user'] and
> $_POST['email'] and that's alright...
>
>
> BUT, if instead, I want to check the parameters before to send them to
> the server, as I usually I do, I would use javascript...
>
> With javascript I usually check if the fields are filled up correctly
> and then I let javascript send them to the server, so I don't use the
> form tag becuase I don't need it.
>
> Is this method wrong?
>
> Are there any downside I don't know?

And when JavaScript is disabled?

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

On Jul 24, 7:05*pm, "Jonathan N. Little" <lws4...@central.net> wrote:
> And when JavaScript is disabled?

Then it breaks and the visitor has a decision to make...

Gazing into my crystal ball I observed "^AndreA^"
<> writing in news:1b2e5674-0c32-4743-9b8e-
:

> hello guys,
>
> I've got a curiosity...
>
> If I want to do a form with plain HTML and a scripting server-side
> (such as php) I'd write something like this:
>
><form name="input" action="plain_html_form.php" method="post" >
> Username:
><input type="text" name="user"> <br />
> Email:
><input type="text" name="email"> <br />
>
><input type="submit" value="Submit"> <br />
></form>
>
> and then from php I'll get the parameters as $_POST['user'] and
> $_POST['email'] and that's alright...
>
>
> BUT, if instead, I want to check the parameters before to send them to
> the server, as I usually I do, I would use javascript...
>
> With javascript I usually check if the fields are filled up correctly
> and then I let javascript send them to the server, so I don't use the
> form tag becuase I don't need it.
>
> Is this method wrong?

You still need the form element. Certain elements, eg. input, cannot
exist without being wrapped in a form element. Javascript is nice as an
enhancement. As you know, you have to validate server side, especially
before you put anything in a db.

>
> Are there any downside I don't know?

Yes, users with javascript disabled will submit to the value of the
action attribute. If you do not use the form element, there is no place
to submit to.

Again, it is very important to check everything server side, especially
when the data is going into a db. You might want to look into SQL
injection.

Travis Newbury wrote:
> On Jul 24, 7:05 pm, "Jonathan N. Little" <lws4...@central.net> wrote:
>> And when JavaScript is disabled?
>
> Then it breaks and the visitor has a decision to make...

Poor choice of design implementation.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

In article <acdd6$4889418f$40cba7b7$>,
"Jonathan N. Little" <> wrote:

> Travis Newbury wrote:
> > On Jul 24, 7:05 pm, "Jonathan N. Little" <lws4...@central.net> wrote:
> >> And when JavaScript is disabled?
> >
> > Then it breaks and the visitor has a decision to make...
>
> Poor choice of design implementation.

Actually, where Travis is concerned, good on you, Jonathan, in getting
the good message out there. He is hoping we will tire and he will get
his post-modernist/free-market/each-to-his-own take on objectivity to
swamp the battlefield.

--
dorayme

On Fri, 25 Jul 2008 01:13:43 +0000, Adrienne Boswell wrote:

> You might want to look into SQL injection.

I dunno... I still prefer sipping Jack Daniel's to injecting SQL. I have
this thing about needles...

On Thu, 24 Jul 2008 15:38:00 -0700, ^AndreA^ wrote:

> With javascript I usually check if the fields are filled up correctly
> and then I let javascript send them to the server, so I don't use the
> form tag becuase I don't need it.

An html compliant browser will not allow any input/textarea tags it
encounters if it has not already seen a form opening tag.

viza wrote:
> On Thu, 24 Jul 2008 15:38:00 -0700, ^AndreA^ wrote:
>
>> With javascript I usually check if the fields are filled up correctly
>> and then I let javascript send them to the server, so I don't use the
>> form tag becuase I don't need it.
>
> An html compliant browser will not allow any input/textarea tags it
> encounters if it has not already seen a form opening tag.

Not so:

<!ENTITY % formctrl "INPUT | SELECT | TEXTAREA | LABEL | BUTTON">

<!ENTITY % inline "#PCDATA | %fontstyle; | %phrase; | %special; |
%formctrl;">

Input and textarea tags can appear anywhere inline data can appear (or
flow data, because flow includes inline), with the exception of inside a
button (because of

<!ELEMENT BUTTON - -
(%flow* -(A|%formctrl;|FORM|FIELDSET)

).

very good discussion guys, thank you to everyone...

So, I have understood that I need the form tag even though I choose
not to support users with javascript off.

I've also understood that is a good practice guarantee access to
people with javascript off (about 5% now, http://www.w3schools.com/browsers/browsers_stats.asp).

I "lost" the whole morning surfing the web trying to understand what
other people think about js on or off...

I usually check client-side for all of this stuff:
!@#$%^&*()+=[]\\\';,/{}|\":<>?~`.- _£

and then, if everything is fine, I send the data to php and I do just:
$_something = htmlentities($_POST['something']);

and then it's ready to be stored on the db.

Wasn't it enough?

Anyway It's useless to have a double check (client-side and server-
side), so, following your ideas I should do just a server side check
but it isn't as cool as AJAX...

Or maybe I could;
CLIENT-SIDE: check if the fields are filled up correctly (so who has
js on can find it usefull) and
SERVER-SIDE: check again all the fields and, above all, look for some
characters for security reasons.

What do you think?

Cheers,
Andrea