Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

expression engine 2.7 upgraded now can't submit any forms

September 03, 2013 4:58pm

Subscribe [11]
  • #1 / Sep 03, 2013 4:58pm

    caps1994's avatar

    caps1994

    4 posts

    Hi all,

    i just upgraded to ee 2.7 and now when I submit a form I get this error:

    The following errors were encountered

    The action you have requested is invalid.

    there is a file attached to this post with a print screen of it

    any help would be much appreciated

  • #2 / Sep 03, 2013 6:00pm

    bitsculptor's avatar

    bitsculptor

    29 posts

    I too am having this same issue after upgrading to 2.7 today. Accessing the page directly from URL works fine, but posting to it (or any other template/page) via a form produces: “The action you have requested is invalid.”

  • #3 / Sep 03, 2013 6:19pm

    caps1994's avatar

    caps1994

    4 posts

    I don’t know what your form does but you could try this

    If you use the new channel form http://ellislab.com/expressionengine/user-guide/modules/channel/channel_form/index.html

    this works in my experience but i was enable to get php to work with it

    hope this helps

  • #4 / Sep 03, 2013 6:42pm

    bitsculptor's avatar

    bitsculptor

    29 posts

    My form is just a regular POST-type form that submits a value to a search template with PHP enabled that handles the POST value. I tried enabling/disabling PHP and re-creating the template new but the error persists. I even cleared out the template contents completely, and it still gives the same error when submitting a form to it, but no error when accessing it via URL.

  • #5 / Sep 03, 2013 6:44pm

    caps1994's avatar

    caps1994

    4 posts

    I’ve submited a bug report so with any luck they my get back to me

  • #6 / Sep 04, 2013 2:09pm

    caps1994's avatar

    caps1994

    4 posts

    Thanks to Robin from ellislabs

    I suspect the problem is related to changed in XID requirements, which are stricter in 2.7.  Any post data is going to require a valid xid.  It IS easy to make custom forms compliant- use the XID_HASH global in a hidden field:

    <input type="hidden" name="XID" value="{XID_HASH}" />

    Try adding that to any custom forms- does that take care of the issue?

    that’s fixed it for me

  • #7 / Sep 04, 2013 2:30pm

    bitsculptor's avatar

    bitsculptor

    29 posts

    Great! That did it!

    Thanks for taking the time to research the issue caps1994, and thanks to Robin too. Hopefully this helps others with the same problem.

  • #8 / Oct 25, 2013 8:59am

    amityweb's avatar

    amityweb

    162 posts

    Problem I have is I have an iFrame pop up (page on same site) with a form in it. Setting the XID in this form has no effect on the parent page, so when the form is closed, refreshing the original page causes a internal server error, I suspect due to the XID issue.

    I have no idea how to overcome this when using an iFrame. I need the iFrame because its a google map we do not want visible on the first page load, and google maps only work if visible on the page, so putting in an iframe fixed this issue, and now 2.7.2 breaks it.

  • #9 / Oct 27, 2013 7:18am

    Ralph's avatar

    Ralph

    75 posts

    You could also try diabling Secure Forms by adding this to the config.php file

    $config['secure_forms'] = "n";

    Another option is to change the form method to GET so it submits the form via the querystring or get a new version of the XID via AJAX before submitting. There is a good example here: http://expressionengine.stackexchange.com/questions/12673/secure-forms-setting-and-ajaxified-forms

  • #10 / Oct 27, 2013 9:50am

    amityweb's avatar

    amityweb

    162 posts

    Thanks

    The form within the iframe is using GET already, but still gives me the issue. I dont really want to disable the security. And I am not sure how to return this via AJAX, we are using a Google Maps plugin and I think I may need to modify that, but dont want to as we update it occasionally.

    I have decided we can no longer use the iframe, we will link to an actual template page with the google map in it, so its on the same site and using the same XID. A big shame, EE loses flexibility in this situation.

  • #11 / Nov 16, 2013 1:37am

    Nibb

    138 posts

    After the upgrade I also had this problem in most of my forms. The solution caps1994 posted works except that I have a problem on one form that use recaptcha.

    If the user fills the incorrect captcha code and clicks back in his browser, he will not see that error because I assume the id is not reloaded. I donĀ“t want to disable the security either, in particular because the solution posted here works, but it breaks the captcha page in this case since if a user clicks back and fills the correct code he will hit the error and cannot proceed.

    What would be the solution to this case where a user actually needs to go back to the previous form?

  • #12 / Nov 23, 2013 1:02am

    Also if this is related.
    This error is now thrown if you have EE as a tab on your Facebook Page as Facebook posts to the page and now that action is also “Invalid” with 2.7. Tested this with page outside of EE at the root of the site and it works fine. Back to EE page. Invalid.

  • #13 / Nov 23, 2013 12:12pm

    Nibb

    138 posts

    Also if this is related.
    This error is now thrown if you have EE as a tab on your Facebook Page as Facebook posts to the page and now that action is also “Invalid” with 2.7. Tested this with page outside of EE at the root of the site and it works fine. Back to EE page. Invalid.

    As far a I understand this feature is to protect users from submitting a form and data without actually visiting the original page, this is to avoid spam and other type of automated submissions or even attacks on your websites by executing the form externally.

    This protections forces the user to reload the page or make sure its an actual visitor that comes from the original source.

    Is there a way a to force a page reload when a back click is detected? That could solve the captch issue for example.

  • #14 / Nov 24, 2013 3:35am

    Actually I solved the Facebook issue by serving up the Facebook part of the site through an iframe page outside of Expression Engine. I could have turned off secure forms though I did not want to do that. Upgrading Freeform fixed another error I was having with this on my contact form.

    This is the iframe solution here. https://www.facebook.com/YourOnlineStory/app_342150792531981 works fine with some css to make the iframe scroll and be 100% as deep as the page.

    Sometimes though in a client job you want to be able to submit a form from a third party site to your EE site. Would be good to have a way of disabling this for specific pages/forms to enable that functionality without having to switch this off overall.

  • #15 / Dec 03, 2013 12:59pm

    asidua

    14 posts

    Yes we added the code

    <input type="hidden" name="XID" value="{XID_HASH}" />

    into our page header as this was affecting our insite search plugin (super search).

    Now sorted so thanks

ExpressionEngine News

#eecms, #events, #releases