[development] form protection?

Doug Green douggreen at douggreenconsulting.com
Fri Dec 28 14:31:36 UTC 2007

I think that yched's advise is good.

But listening to your application, you have something that only works
when javascript is available, which is not a very good degrade.  Things
should work for people without javascript too.  So, if the options are
known to the php code, you might try setting them in the #options, then
removing the ones that aren't valid by javascript -- rather than the
other way around (which is what I think you're doing) which is putting
no values i #options, and then adding the valid ones by javascript.

If that's not possible, then yched's advise is definitely the way to go.

yched.drupal at free.fr wrote:
>  On Fri, 28 Dec 2007 10:55:58 -0200, Alessandro Feijó  wrote: 
>  > I'm manipulating dynamicaly the content of a  Combobox 
>  > It starts empty, I set the values with jQuery, and  when I click
> Submit, an error say something like 'invalid content, contact your 
> administrator'
>  > There is any protection to prevent content  different from the
> original possible values to an  ?    
>  Yes there is. 
>  You need to specify 
> $form['your_select_element']['#dangerous_skip_check'] = TRUE; 
>  You then need to perform your own server-side validation on the 
> posted value, since this leaves your form open to  invalid
> submissions. 
>  Note that this flag has been removed from D6, where the recommended
> way is  now to use FAPIs #ahah properties.  

More information about the development mailing list