[development] form protection?
Doug Green
douggreen at douggreenconsulting.com
Fri Dec 28 14:31:36 UTC 2007
I think that yched's advise is good.
But listening to your application, you have something that only works
when javascript is available, which is not a very good degrade. Things
should work for people without javascript too. So, if the options are
known to the php code, you might try setting them in the #options, then
removing the ones that aren't valid by javascript -- rather than the
other way around (which is what I think you're doing) which is putting
no values i #options, and then adding the valid ones by javascript.
If that's not possible, then yched's advise is definitely the way to go.
yched.drupal at free.fr wrote:
> On Fri, 28 Dec 2007 10:55:58 -0200, Alessandro Feijó wrote:
>
> > I'm manipulating dynamicaly the content of a Combobox
> > It starts empty, I set the values with jQuery, and when I click
> Submit, an error say something like 'invalid content, contact your
> administrator'
> > There is any protection to prevent content different from the
> original possible values to an ?
> Yes there is.
> You need to specify
> $form['your_select_element']['#dangerous_skip_check'] = TRUE;
> You then need to perform your own server-side validation on the
> posted value, since this leaves your form open to invalid
> submissions.
> Note that this flag has been removed from D6, where the recommended
> way is now to use FAPIs #ahah properties.
>
More information about the development
mailing list