开发者

What do, if $_POST variables are missing?

开发者 https://www.devze.com 2023-02-20 09:14 出处:网络
What should an application do, if a $_POST variable is missing, which is required to perform the action?开发者_如何学C

What should an application do, if a $_POST variable is missing, which is required to perform the action?开发者_如何学C

For example, imagine I have a form with an <input name="title"> and I have some page, which processes the resulting POST request. Now, what should this page do, if it gets a request, but no $_POST['title'] variable was set?

To make it clear: By "not set" I mean, that an invalid request is made, which a normal user cannot do, only somebody making a manual request to my form processing page, i.e. somebody trying to do things with my site, I don't want it to be done with.

Some possibilities:

  • Just die.
  • Print a fancy error message, like you would do, it the field were just empty.
  • Block further requests from this IP.


Return to the page with the form and indicate to the user that the title has to be set.


Check for and sanitize your expected POST keys.

if (isset($_POST['title'])) {
    // sanitize and use title here
}
else die("Missing required field: 'title'.");

Edit: Because we do not like die(), how about this:

if (isset($_POST['title'])) {
    // sanitize and use title here
}
else 
{
    // handle an invalid POST. You could redirect to form 
    // page, display an error, or whatever works for your
    // application.
}


I tend to favour the redirect. If someone is coming from somewhere they shouldn't be coming from, or doing something they shouldn't be doing - I just take them someplace else, silently and without fuss.

If you fill in my form and it doesn't validate server side, I take you back to the form, point out your mistakes, pre-fill it with your values and encourage you to try again.

If you don't fill in my form and it doesn't validate server side, I either do the same as above, or I just dump you on the form page as though it never happened.

The important thing is that if you don't want people to be able to directly POST data to a page, that you stop them from doing so - its less important what you actually do with the user since they are clearly using your site in an unnatural way. They are probably automated bots and could not care less what happened to them anyway, especially if you're talking about some form that could be construed as something that might allow comments or otherwise publish some text to a site. The spammers just LOVE those.

On that note - you should of course take care to protect your site from bots that can recognise what a valid POST looks like and spoof it. Something like ReCaptcha does the trick, but there are many ways to do it.


"[...]somebody trying to do things with my site, I don't want it to be done with"

Don't care too much about them. Just put a die("Try again loser!"); and let it go. Good design and generally good things are made for people who use your site as it is supposed to be. People who try to make bad things to your site deserve just a blank page with some bold text.

0

精彩评论

暂无评论...
验证码 换一张
取 消