FormUI Thoughts
Caius Durling
I've just changed the comment form to add "comment_" to the ids of
each element in the form, and noticed the names are just mirroring the
id. Which leads to field names like "comment_name", which exists as
$_POST["comment_name"] in the submitted data.
Now I realise this is my personal taste, but I prefer to use $_POST as
a named array for post data, so you'd access the name field like $_POST
["comment"]["name"]. I prefer separating the data out in this way,
because it makes it easy to ignore all post data except for the form
you want (because $_POST["comment"] contains only the data from the
comment form.)
So I'm wondering if there's a good reason for us to stick with
comment_name, or if we could move to comment[name]?
C
---
Caius Durling
ca...@caius.name
+44 (0) 7960 268 100
http://caius.name/
Arthus Erea
Do you mean for the ID or for the name?
I see no reason for the name. However, I think the name shouldn't
actually be human-readable at all. It should be an encoded string
(isn't it usually already?), so we are always sure the data is coming
directly from the specific FormUI field.
For the ID, I don't think "[" is supported.
~arthus
Caius Durling
> Do you mean for the ID or for the name?
>
> I see no reason for the name. However, I think the name shouldn't
> actually be human-readable at all. It should be an encoded string
> (isn't it usually already?), so we are always sure the data is coming
> directly from the specific FormUI field.
For the name, so the field looks something like <input type="text"
name="comment[name]" id="comment_name">
Its not really to make the source code more human readable, but to
encapsulate the data in the $_POST more, so its split into named
arrays for each form. I find doing so makes it easy to select only the
bits of $_POST you need, without having to manually specify the fields
to use.
Arthus Erea
Since this is FormUI, we already know the names of the fields we're
looking for. In fact, there's absolutely no reason you should ever
have to access the raw $_POST data for a FormUI form.
That's why I'd prefer a random string. FormUI knows what its looking
for, but it makes the form less vulnerable to sniffing/attack/mistakes.
Caius Durling
> Sorry, but I don't see the benefit.
>
> Since this is FormUI, we already know the names of the fields we're
> looking for. In fact, there's absolutely no reason you should ever
> have to access the raw $_POST data for a FormUI form.
But even now we have to specify the field names in both the place we
create the form, and the place we handle the form data. So yes, you do
have to know what the name of the fields are in the $_POST array.
> That's why I'd prefer a random string. FormUI knows what its looking
> for, but it makes the form less vulnerable to sniffing/attack/
> mistakes.
Um, how is this making a form more secure? Making the id random means
you can never target that input with CSS (bad idea.) and to stop
people submitting fake data, just means I request the form before
posting my data, and use the "random" values the form gives me when I
request it.
Plus you'd have to store which random values you used for the form
against the user that requested them somehow, which is just a whole
load of overhead for no benefit.
The reason I'm suggesting it is because you could then grab the
comment form object, loop over $_POST["comment"] and assign the values
of the array to the formui object as attributes, which means you get a
fully populated formui object to validate, save, redisplay - without
having to know what the name of each field is. The field names are
just defined in the creation of the comment FormUI object.
Arthus Erea
solely to the name.
On Aug 16, 2009, at 9:18 AM, Caius Durling wrote:
>
> On 16 Aug 2009, at 14:02, Arthus Erea wrote:
>
>> Sorry, but I don't see the benefit.
>>
>> Since this is FormUI, we already know the names of the fields we're
>> looking for. In fact, there's absolutely no reason you should ever
>> have to access the raw $_POST data for a FormUI form.
>
> But even now we have to specify the field names in both the place we
> create the form, and the place we handle the form data. So yes, you do
> have to know what the name of the fields are in the $_POST array.
They are one and the same. There is no "creation place" and "handler
place" — the single FormUI object is used for both.
The handler function does *not* ever have to know the field name. It
calls the data from the FormUI object, based upon the FormUI field.
>> That's why I'd prefer a random string. FormUI knows what its looking
>> for, but it makes the form less vulnerable to sniffing/attack/
>> mistakes.
>
> Um, how is this making a form more secure? Making the id random means
> you can never target that input with CSS (bad idea.) and to stop
> people submitting fake data, just means I request the form before
> posting my data, and use the "random" values the form gives me when I
> request it.
I am referring solely to the name, not the ID. That has zero impact
upon the CSS abilities.
If the names must first be sniffed, you have to do 2 requests instead
of 1. That makes spammers spend twice as much effort. Additionally,
consider potential sniffing. If the field name is random (only the
server and client know it), it's harder to sniff for what data contains.
> Plus you'd have to store which random values you used for the form
> against the user that requested them somehow, which is just a whole
> load of overhead for no benefit.
Look: we're going to do that anyways. That's how FormUI works. We are
*not* going to blindly trust whatever is in the $_POST array. We are
not going to simply add every element in it onto the FormUI object.
Your proposal would require significant redevelopment of FormUI, has
negligible benefit, and is prone to error. Why should we redevelop
FormUI without any benefit?
Furthermore, I wonder if you have thoroughly explored the FormUI code.
For FormUI, creation, validation, and display are done with the same
object. If one part knows the form name, all of it knows the form name.
It seems like you're trying to bring over a concept which might make
sense in less-advanced systems (where you just parse $_POST manually),
without fully understanding FormUI.
Blake Johnson
--Blake