To be clear, I do *not* think the ID should be random. I am referring solely to the name.
On Aug 16, 2009, at 9:18 AM, Caius Durling wrote: > > On 16 Aug 2009, at 14:02, Arthus Erea wrote: > >> Sorry, but I don't see the benefit. >> >> Since this is FormUI, we already know the names of the fields we're >> looking for. In fact, there's absolutely no reason you should ever >> have to access the raw $_POST data for a FormUI form. > > But even now we have to specify the field names in both the place we > create the form, and the place we handle the form data. So yes, you do > have to know what the name of the fields are in the $_POST array. They are one and the same. There is no "creation place" and "handler place" — the single FormUI object is used for both. The handler function does *not* ever have to know the field name. It calls the data from the FormUI object, based upon the FormUI field. >> That's why I'd prefer a random string. FormUI knows what its looking >> for, but it makes the form less vulnerable to sniffing/attack/ >> mistakes. > > Um, how is this making a form more secure? Making the id random means > you can never target that input with CSS (bad idea.) and to stop > people submitting fake data, just means I request the form before > posting my data, and use the "random" values the form gives me when I > request it. I am referring solely to the name, not the ID. That has zero impact upon the CSS abilities. If the names must first be sniffed, you have to do 2 requests instead of 1. That makes spammers spend twice as much effort. Additionally, consider potential sniffing. If the field name is random (only the server and client know it), it's harder to sniff for what data contains. > Plus you'd have to store which random values you used for the form > against the user that requested them somehow, which is just a whole > load of overhead for no benefit. Look: we're going to do that anyways. That's how FormUI works. We are *not* going to blindly trust whatever is in the $_POST array. We are not going to simply add every element in it onto the FormUI object. Your proposal would require significant redevelopment of FormUI, has negligible benefit, and is prone to error. Why should we redevelop FormUI without any benefit? Furthermore, I wonder if you have thoroughly explored the FormUI code. For FormUI, creation, validation, and display are done with the same object. If one part knows the form name, all of it knows the form name. It seems like you're trying to bring over a concept which might make sense in less-advanced systems (where you just parse $_POST manually), without fully understanding FormUI. --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
