I have a question and I don't now how to explain that. So I have a form with a input type = hidden and a submit button :
<input type="hidden"
name="{{ form_participate.total_amount.name }}"
id="{{ form_participate.total_amount.name }}"
value="{{ form_participate.total_amount.value }}"/>
The problem is that when I access with firebug and remove the type = hidden, I put a value, for example 1000, and I do submit this value is inserted in database. I can disallow this option ?
You cannot prevent temporary user modification of the client-side code (HTML, JavaScript, CSS).
Alternative #1 - Sanitizing with default values
You can sanitize and validate the value on the server side.
PHP
<?php
$value = $_REQUEST['myHiddenElement'];
// We make sure $value is a number and it its value is between 0 and 100
if(!is_numeric($value) || $value < 0 || $value > 100) {
// If the value is invalid, we overwrite it with a default value.
// This way, we're sure only valid values are sent to the server.
$value = 0;
}
?>
Alternative #2 - Getting back to the user
You can also show an error message if the value is not valid
PHP
<?php
$value = $_REQUEST['myHiddenElement']
if(!is_numeric($value)) {
if(!isset($_SESSION)) {
session_start();
}
$_SESSION['error'] = 1;
$_SESSION['error_message'] = "The value contained in [whatever input] is not valid.";
header('Location: myForm.php'); // This goes back to the form.
}
?>
in myForm.php:
<?php
session_start();
// We show a custom error message only if the sesison variable "error" is set.
if(isset($_SESSION['error'])){
echo '<div class="errorMessage">'.$_SESSION['error_message'].'</div>'; // Shows the message to the user.
unset($_SESSION['error']); // unset() destroys the variables.
unset($_SESSION['error_message']);
}
?>
