On Tue, Oct 16, 2012 at 9:53 PM, Ethan Rosenberg, PhD
<erosenb...@hygeiabiomedical.com> wrote:
> <snip>
> <form> with an empty action= attribute simply calls the same URL as given. I
> use this all the time for testing and for localhost one-page apps, but is a
> Very Bad Idea ™ for a real on-the-internet application.
> ========
> Thank you for your input.
> Please, teach me, why is it a "Very Bad Idea ™"
> Ethan

Generally speaking, you want to be very sure of the routes,
parameters, and data that is going to be coming into your application
from a form (and really, anywhere, but form in this case).

If you leave action empty or omit it, it calls the URL back that is
shown to the browser. This isn't always a problem, but if the URL
happens to have additional information such as an info path and/or a
query string, the possibility of it being abused is increased, and
it's a potential vector for hacking your application.

In addition, the existence of things like path info and query strings
is a potential source of defects if you don't know it's happening and
you don't code around it.

Finally, although many many applications do this, it is generally
considered a poorer user experience to press the "back" button and get
a message saying that the page has expired and the browser needs to
resend data, as well as a possible application headache if you end up
processing the same information twice. Thus better to specifically set
the action to the script that will process the information, and give a
302 redirect in that script to whatever the response is via a location

<form action="process.php" method="POST">
    <!-- rest of the form -->

   /* give 302 redirect to browser */
   header('Location: http://www.example.com/response.html');

   /* process the form data */

<h1>Thank you</h1>
<p>Thank you for submitting your information.</p>

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to