We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Secure Forms - XID Missing from $_POST

April 01, 2010 10:05pm

Subscribe [3]

  • #1 / Apr 01, 2010 10:05pm

    ryal001

    42 posts

    Hi, I am having a problem reading the XID value when posting a form in the control panel; the XID value is not appearing in the $_POST array.

    <form action='index.php?S=35d1d75094d70654f447ab9382753455a9c44f5c&C=modules&M=my_module&P=view_account&account_id=150' name='form_account_payments' id='form_account_payments' method='post'>
<div class='hidden'><input type='hidden' name='XID' value='840136e38180d5261c56400b084ebb5955e038fe' /></div>

<div class='hidden'><input type='hidden' name='account_id' value='150' /></div>
<div class='hidden'><input type='hidden' name='account_payments' value='1' /></div>

    I am posting back to the same page and testing for the presence of the submit button in the $_POST array and this works fine, all the other form input values are included.  Using $var_dump when the page refreshes, but before any other processing of $_POST variables, I get:

    array(7) { ["account_id"]=> string(3) "150" ["account_payments"]=> string(1) "1" ["total_amount_received"]=> string(6) "599.50" ["purpose_0000000144"]=> string(1) "2" ["amount_0000000144"]=> string(6) "599.50" ["balance_to_credit"]=> string(4) "0.00" ["submit_account_payments"]=> string(13) "Save Payments" } array(7) { ["account_id"]=> string(3) "150" ["account_payments"]=> string(1) "1" ["total_amount_received"]=> string(6) "599.50" ["purpose_0000000144"]=> string(1) "2" ["amount_0000000144"]=> string(6) "599.50" ["balance_to_credit"]=> string(4) "0.00" ["submit_account_payments"]=> string(13) "Save Payments" }

    So everything comes through except the ‘XID’ value.  If EE is automatically checking and removing the XID hash, then it’s not working for me because refreshing the pages after a submission is causing my form’s data to be applied again to the database.

    Have I done something dumb or is there a trick to this? Perhaps I should manually add my own security hash (‘MY_XID’) with a hash value and test for that?

     

    Thanks and Happy Easter,

    Rob

  • #2 / Apr 02, 2010 3:41am

    John Henry Donovan

    12339 posts

    Rob,

    Can you explain why you need to do this first. Just a bit of background.
    What version an build of EE are you using?

  • #3 / Apr 02, 2010 6:30am

    ryal001

    42 posts

    I just want to have the same page shown after the form re-submission rather than some sort of confirmation page - like the way you update the General Configuration page under the Admin tab.

    Anyway, I have been studying the way General Configuration page is updated and it seems that the way to do it is to have the form call a different function (from the form ‘action’) which updates the settings in the database and/or the config file and then use $FNS->redirect to get back to the original page for display, by which time the $_POST array has been reset (because the form went to a different location) even though it looks to the user like they never left the General Configuration page.  Is this correct?

    Using 1.6.8


    Thanks

  • #4 / Apr 02, 2010 6:51pm

    Brandon Jones

    5500 posts

    A redirect is pretty much the only way to ensure the browser won’t throw the “You are about to resend postdata” warning if you hit Back or Refresh, so that does indeed sound correct.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register