[ic] [button] and mv_form_profile question.

Mike Heins interchange-users@icdevgroup.org
Sat Mar 15 10:55:01 2003


Quoting Jeff Dafoe (jeff@badtz-maru.com):
> > As far as I know, putting the mv_form_profile inside the button, should
> > not work. By doing this, mv_form_profile is getting set __after__ it is
> > read.  From your example, it doesn't look like your [button] is doing
> > anything other than setting mv_form_profile , so you could just do the
> > following instead:
> >
> > <input type=image src="__THEME__/placeorder.gif" name=mv_form_profile
> > value=my_validate>
> 
>     The issue is that it is then possible for a malicious user to bypass
> form validation by saving a local copy of the HTML and modifying it.  This
> is the only IC issue to which I really don't have an answer that I like,
> which is how to programatically set a form profile without using any
> client-side settings.

Think about this. How could you ever do that without checking every
single page request for it?

If you make your page an action, you can do it by making the action
insist on a validation. Otherwise I don't know how it could
possibly be done.

> It's not that the answer doesn't necessarily exist, I
> just don't know what it is.

You can't programmatically set it, but you can make sure it was run.

[set validated][/set]

[set validate_check]

	[set validated]1[/set]

	foo=required
	bar=required
[/set]

[button text="Go"]
	[if scratch validated]
	    [set was_validated]1[/set]
	    mv_nextpage=foo
	[/if]
[/button]

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.513.523.7621      <mike@perusion.com>

"Even if you're on the right track, you'll get run over if you just
sit there." -- Will Rogers