我有一个问题,我现在不知道如何解释。所以我有一个输入类型=隐藏的表单和一个提交按钮:
<input type="hidden"
name="{{ form_participate.total_amount.name }}"
id="{{ form_participate.total_amount.name }}"
value="{{ form_participate.total_amount.value }}"/>
问题是,当我使用firebug访问并删除type = hidden时,我输入一个值,例如1000,我确实将此值提交到数据库中。我可以不允许这个选项吗?
答案 0 :(得分:1)
您无法阻止临时用户修改客户端代码(HTML,JavaScript,CSS)。
备选方案#1 - 使用默认值进行消毒
您可以清理并验证服务器端的值。
<强> PHP
<?php
$value = $_REQUEST['myHiddenElement'];
// We make sure $value is a number and it its value is between 0 and 100
if(!is_numeric($value) || $value < 0 || $value > 100) {
// If the value is invalid, we overwrite it with a default value.
// This way, we're sure only valid values are sent to the server.
$value = 0;
}
?>
备选方案#2 - 返回用户
如果值无效,您还可以显示错误消息
<强> PHP
<?php
$value = $_REQUEST['myHiddenElement']
if(!is_numeric($value)) {
if(!isset($_SESSION)) {
session_start();
}
$_SESSION['error'] = 1;
$_SESSION['error_message'] = "The value contained in [whatever input] is not valid.";
header('Location: myForm.php'); // This goes back to the form.
}
?>
:
<?php
session_start();
// We show a custom error message only if the sesison variable "error" is set.
if(isset($_SESSION['error'])){
echo '<div class="errorMessage">'.$_SESSION['error_message'].'</div>'; // Shows the message to the user.
unset($_SESSION['error']); // unset() destroys the variables.
unset($_SESSION['error_message']);
}
?>