views:

86

answers:

3

Currently, when I design my forms, I like to keep the name of the submit button equal to the id of the form. Then, in my php, I just do if(isset($_POST['submitName'])) in order to check if a form has been submitted and which form has been submitted.

Firstly, are there any security problems or design flaws with this method?

One problem I have encountered is when I wish to overlay my forms with javascript in order to provide faster validation to the user. For example, whilst I obviously need to retain server side validation, it is more convenient for the user if an error message is displayed inline, upon blurring an input. Additionally, it would be good to provide entire form validation, upon clicking the submit button.

Therefore, when the user clicks on the form's submit button, I am stopping the default action, doing my validation, and then attempting to renable the traditional submit functionality, if the validation passes. In order to do this, I am using the form.submit() method but, unfortunately, this doesn't send the submit button variable (as it should be as form.submit() can be called without any button being clicked). This means my PHP script fails to detect that the form has been submitted.

What is the correct way to work around this? It seems like the standard solution is to add a hidden field into the form, upon passing validation, which has the name of form's id. Then when form.submit() is called, this is passed along in place of the submit button. However, this solution seems very ungraceful to me and so I am wondering whether I should:

a) Use an alternative method to detect which form has been submitted which doesn't rely rely on passing the submit button. If so what alternative is there? Obviously, just having an extra hidden field from the start isn't any better.

b) Use an alternative Javascript solution which allows me to retain my non-Javascript design. For example, is there an alternative to form.submit() which allows me to pass in extra data?

c) Suck it up and just insert a hidden field using Javascript.

UPDATE: I've accepted the correct answer but I just wanted to clarify my mistake here so it would be more helpful for others. I use Mootools and I very naively believed that when I used addEvent('submit' ...) I needed to immediately call event.stop() in order to prevent the from from being submitted. Actually this is not the case and I can just call event.stop() only if validation fails. Otherwise, the default submit gets fired, as usual, and using form.submit() becomes completely unnecessary.

+6  A: 

You could send the forms to different handlers with action=file1.php and action=file2.php.

Are they processed using a bunch of the same code? Put that into separate files, include the commonalities, and write the unique bits in each of the handling files. Don't hack, organize.

For Javascript validation, don't halt the default action then resume, instead do this:

if (validation != valid) {
    return false;
}

That way if JS is turned off or the validation fails, the form action/event is intact and it behaves as expected, otherwise it bonks. And certainly, certainly retain server-side validation. That's the "real" validation, the client-side is only to please the user and save them time. Never rely on it for YOUR sake.

Alex Mcp
I voted this up because in the end it's the "right" answer, and even if sometimes you don't use it because you're just hacking a quick script together or under some constraint / deadline that doesn't allow you to, it's good to know good practice.
Brian Roach
Thank you! Thank you! This is perfect. My mistake was thinking that in order to execute any Javascript onsubmit, I had to immediately stop the default submit action. Instead, I can just do anything I want onsubmit and the form is only submitted after all that code. Therefore, I can test for failed validation and, in that event, prevent the default. This then means I have no need of form.submit(). Very nice!
Rupert
Great, glad it's helpful! Until you see it done, it's hard sometimes to think of the "other" way.
Alex Mcp
+1  A: 

You can customize the action of the form to add a get key/value; such as action="formhandle.php?formid=10"

Jared Forsyth
Alex Mcp has the best recipe. But I agree this is a good fast way to take care of things. When I had this situation, I tried using a GET like this; in the end I decided it was cleaner to keep everything to POST.
Smandoli
Interestingly, I just reviewed RESTful concepts and learned that in principle, GET is for 'review' info and POST is for interactive or 'edit' work. I don't know how many folks subscribe to this or comply with it. (Sorry, can't link-source this at the moment.)
Smandoli
A: 

However, this solution seems very ungraceful to me

Care to explain why?

I see no point in your question. There is a problem. There is a simple solution. Why not to just use it and went to real important things?

Col. Shrapnel
Good question I should have probably clarified this.The reason this seems ungraceful to me is because the process is this: user clicks on submit -> submit action stopped -> validation occurs -> form.submit() as if no submit button has been clicked. However, clearly a submit button HAS been clicked. Therefore, a more elegant solution would be one where I could replace form.submit() with something that retained the fact that a submit button has been clicked. I'm not against using a solution that works but I can still do that whilst also investigating potentially better solutions.
Rupert
Speaking of graceful: Col Shrapnel's answer amounts to (c). I think it would be courteous to just say that. The answer as given seems somewhat dismissive of the person who is asking.
Smandoli