On 16 Aug 2009, at 14:02, Arthus Erea wrote: > Sorry, but I don't see the benefit. > > Since this is FormUI, we already know the names of the fields we're > looking for. In fact, there's absolutely no reason you should ever > have to access the raw $_POST data for a FormUI form.
But even now we have to specify the field names in both the place we create the form, and the place we handle the form data. So yes, you do have to know what the name of the fields are in the $_POST array. > That's why I'd prefer a random string. FormUI knows what its looking > for, but it makes the form less vulnerable to sniffing/attack/ > mistakes. Um, how is this making a form more secure? Making the id random means you can never target that input with CSS (bad idea.) and to stop people submitting fake data, just means I request the form before posting my data, and use the "random" values the form gives me when I request it. Plus you'd have to store which random values you used for the form against the user that requested them somehow, which is just a whole load of overhead for no benefit. The reason I'm suggesting it is because you could then grab the comment form object, loop over $_POST["comment"] and assign the values of the array to the formui object as attributes, which means you get a fully populated formui object to validate, save, redisplay - without having to know what the name of each field is. The field names are just defined in the creation of the comment FormUI object. C --- Caius Durling [email protected] +44 (0) 7960 268 100 http://caius.name/ --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
