2. PHPRunner General questions
  3. [SOLVED]  Prefill Form via URL Parameters
This topic is locked
[SOLVED]

 Prefill Form via URL Parameters

 		5/7/2020 10:48:15 AM
PHPRunner General questions
W
 WisTex author

Sometimes it is convenient to prefill forms via URL so that the user has less data entry and you do not have to make multiple versions of the same form.
Example Use Case:

  1. A user is on a page listing all items in a particular category.
  2. Clicking on the "Add New" button goes to the add form, but has the category of the calling page already selected.
    So, if there is a field called "category" on the form:
    Going to example.com/form_add.php?category=1 (or something similar)...
    ...would show the add form as usual but would have category 1 automatically selected (from the drop-down, radio button, etc.).
    You could also have it prefill text fields as well.
    If passing variables via GET is not possible, passing them via POST would work as well. Both scenarios have their uses.
    How is the best way to go about doing this?
admin 5/7/2020

Sure, it is possible, use$_GET["category"] as a default value.
Just remember that this is not secure.
W
 		WisTex author 5/7/2020



Sure, it is possible, use$_GET["category"] as a default value.
Just remember that this is not secure.



Thank you.
Wouldn't this be as secure as them filling out the form? This is just prefilling the field. The form does not get submitted until the user presses save.
admin 5/7/2020

If one user sends a link to this page to another user and prefills it with a specially crafted Javascript code that can send data somewhere else. The idea is explained here:

https://blog.alertlogic.com/blog/client-side-injection-attacks/
I need to add that both PHPRunner and modern browsers are taking measures to prevent this from happening, I just wanted to remind that this is potentially unsafe.
W
 		WisTex author 5/10/2020



If one user sends a link to this page to another user and prefills it with a specially crafted Javascript code that can send data somewhere else. The idea is explained here:

https://blog.alertlogic.com/blog/client-side-injection-attacks/
I need to add that both PHPRunner and modern browsers are taking measures to prevent this from happening, I just wanted to remind that this is potentially unsafe.



Okay. So we would want to sanitize it before displaying it.
Is there a built-in function we can use to do that or should I include my own sanitize function?
admin 5/10/2020

There is a number of ways to do that and the phrase you need to Google is "php sanitize get parameters". This is not specific to PHPRunner in any way.
W
 		WisTex author 5/10/2020



There is a number of ways to do that and the phrase you need to Google is "php sanitize get parameters". This is not specific to PHPRunner in any way.



I know. I just figured that you already had a sanitizing routine I could call. After all, I assume you already sanitize input from users, so such a function must already exist.
We can certainly use the non-PHPRunner code we use elsewhere.