Skip to content

Instantly share code, notes, and snippets.

@belfie13

belfie13/CIID-WadBorems.md

Last active May 4, 2022 13:17
Show Gist options
  • Save belfie13/6743fe8f2eecfde4d6f643db8340d4ab to your computer and use it in GitHub Desktop.
Save belfie13/6743fe8f2eecfde4d6f643db8340d4ab to your computer and use it in GitHub Desktop.
Download ZIP
PHP User Input with HTML Form and HTTP POST Request Method
Raw
CIID-WadBorems.md

Wad Borems (Web Forms)

HTML

DOM clobbering

  • Avoid using the names of built-in form properties with the name content attribute.

form-associated elements

  • can have a form owner
    • form owner defaults to its ancestor form element
  • «button»
  • «fieldset»
  • «input»
  • «object»
  • «output»
  • «select»
  • «textarea»
  • «img»
  • form-associated custom elements

⚠️ TODO: form owner set by ancestor form element. ⚠️

Listed elements

  • are in the form.elements and fieldset.elements APIs.
  • have a form content and IDL attribute used to set a form owner.
  • «button»
  • «fieldset»
  • «input»
  • «object»
  • «output»
  • «select»
  • «textarea»
  • form-associated custom elements

⚠️ TODO: form owner set by form attribute set to ID of form element in its tree. ⚠️

Submittable elements

  • can be used in the entry list when a form element is submitted.
  • «button»
  • «input»
  • «object»
  • «select»
  • «textarea»
  • form-associated custom elements

⚠️ TODO: build possible entry list data types from submittable element value types. ⚠️

Resettable elements

  • can be affected when a form element is reset.
  • «input»
  • «output»
  • «select»
  • «textarea»
  • form-associated custom elements

labelable elements

  • can be associated with a label element.
  • «button
  • «input (if type!=hidden)
  • «meter
  • «output
  • «progress
  • «select
  • «textarea
  • form-associated custom elements

⚠️ TODO: function to add a label element to labelable elements. ⚠️

Input Types

  • «maxlength sets upper limit on number of characters: aka maximum allowed value length
  • «minlength sets lower limit on number of characters: aka minimum allowed value length
    • if empty string is not allowed, required must be set

Autofill Field Names

Field name Meaning Canonical Format Control group

  • name Full name Free-form text, no newlines Text
  • honorific-prefix Prefix or title (e.g. "Mr.", "Ms.", "Dr.", "Mlle") Free-form text, no newlines Text
  • given-name Given name (in some Western cultures, also known as the first name) Free-form text, no newlines Text
  • additional-name Additional names (in some Western cultures, also known as middle names, forenames other than the first name) Free-form text, no newlines Text
  • family-name Family name (in some Western cultures, also known as the last name or surname) Free-form text, no newlines Text
  • honorific-suffix" Suffix (e.g. "Jr.", "B.Sc.", "MBASW", "II") Free-form text, no newlines Text
  • nickname Nickname, screen name, handle: a typically short name used instead of the full name Free-form text, no newlines Text
  • organization-title Job title (e.g. "Software Engineer", "Senior Vice President", "Deputy Managing Director") Free-form text, no newlines Text
  • username A username Free-form text, no newlines Username
  • new-password A new password (e.g. when creating an account or changing a password) Free-form text, no newlines Password
  • current-password The current password for the account identified by the username field (e.g. when logging in) Free-form text, no newlines Password
  • one-time-code One-time code used for verifying user identity Free-form text, no newlines Password
  • organization Company name corresponding to the person, address, or contact information in the other fields associated with this field Free-form text, no newlines Text
  • street-address Street address (multiple lines, newlines preserved) Free-form text Multiline
  • address-line1 Street address (one line per field) Free-form text, no newlines Text
  • address-line2 Free-form text, no newlines Text
  • address-line3 Free-form text, no newlines Text
  • address-level4 The most fine-grained administrative level, in addresses with four administrative levels Free-form text, no newlines Text
  • address-level3 The third administrative level, in addresses with three or more administrative levels Free-form text, no newlines Text
  • address-level2 The second administrative level, in addresses with two or more administrative levels; in the countries with two administrative levels, this would typically be the city, town, village, or other locality within which the relevant street address is found Free-form text, no newlines Text
  • address-level1 The broadest administrative level in the address, i.e. the province within which the locality is found; for example, in the US, this would be the state; in Switzerland it would be the canton; in the UK, the post town Free-form text, no newlines Text
  • country Country code Valid ISO 3166-1-alpha-2 country code [ISO3166] Text
  • country-name Country name Free-form text, no newlines; derived from country in some cases Text
  • postal-code Postal code, post code, ZIP code, CEDEX code (if CEDEX, append "CEDEX", and the arrondissement, if relevant, to the address-level2 field) Free-form text, no newlines Text
  • cc-name Full name as given on the payment instrument Free-form text, no newlines Text
  • cc-given-name Given name as given on the payment instrument (in some Western cultures, also known as the first name) Free-form text, no newlines Text
  • cc-additional-name Additional names given on the payment instrument (in some Western cultures, also known as middle names, forenames other than the first name) Free-form text, no newlines Text
  • cc-family-name Family name given on the payment instrument (in some Western cultures, also known as the last name or surname) Free-form text, no newlines Text
  • cc-number Code identifying the payment instrument (e.g. the credit card number) ASCII digits Text
  • cc-exp Expiration date of the payment instrument Valid month string Month
  • cc-exp-month Month component of the expiration date of the payment instrument Valid integer in the range 1..12 Numeric
  • cc-exp-year Year component of the expiration date of the payment instrument Valid integer greater than zero Numeric
  • cc-csc Security code for the payment instrument (also known as the card security code (CSC), card validation code (CVC), card verification value (CVV), signature panel code (SPC), credit card ID (CCID), etc) ASCII digits Text
  • cc-type Type of payment instrument Free-form text, no newlines Text
  • transaction-currency The currency that the user would prefer the transaction to use ISO 4217 currency code [ISO4217] Text
  • transaction-amount The amount that the user would like for the transaction (e.g. when entering a bid or sale price) Valid floating-point number Numeric
  • language Preferred language Valid BCP 47 language tag [BCP47] Text
  • bday Birthday Valid date string Date
  • bday-day Day component of birthday Valid integer in the range 1..31 Numeric
  • bday-month Month component of birthday Valid integer in the range 1..12 Numeric
  • bday-year Year component of birthday Valid integer greater than zero Numeric
  • sex Gender identity (e.g. Female, Fa'afafine) Free-form text, no newlines Text
  • url Home page or other web page corresponding to the company, person, address, or contact information in the other fields associated with this field Valid URL string URL
  • photo Photograph, icon, or other image corresponding to the company, person, address, or contact information in the other fields associated with this field Valid URL string URL
  • tel Full telephone number, including country code ASCII digits and U+0020 SPACE characters, prefixed by a U+002B PLUS SIGN character (+) Tel
  • tel-country-code Country code component of the telephone number ASCII digits prefixed by a U+002B PLUS SIGN character (+) Text
  • tel-national Telephone number without the county code component, with a country-internal prefix applied if applicable ASCII digits and U+0020 SPACE characters Text
  • tel-area-code Area code component of the telephone number, with a country-internal prefix applied if applicable ASCII digits Text
  • tel-local Telephone number without the country code and area code components ASCII digits Text
  • tel-local-prefix First part of the component of the telephone number that follows the area code, when that component is split into two components ASCII digits Text
  • tel-local-suffix Second part of the component of the telephone number that follows the area code, when that component is split into two components ASCII digits Text
  • tel-extension Telephone number internal extension code ASCII digits Text
  • email Email address Valid email address Username
  • impp URL representing an instant messaging protocol endpoint (eg, "aim:goim?screenname=example") Valid URL string URL
Raw
index.php
<?php
# get data, default or form post
$data = ['login' => null];
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
if (isset($_POST['user[name]']) && isset($_POST['user[pass]']))
{
$data['login'] = true;
$data['user']['name'] = $_POST['user[name]'];
$data['user']['pass'] = $_POST['user[pass]'];
}
}
# check if input is needed
if (!$data['login'])
{
## output form and submit
?>
<form action='' method='post'>
<label for='username'>UserName: </label><input id='username' type='text' name='user[name]'><br>
<label for='password'>Password: </label><input id='password' type='password' name='user[pass]'><br>
<button type='submit'>Login</button>
</form>
<?php
}
# output stuff
else
{
echo '<pre>';
echo '$data = ';
print_r($data);
echo '$_POST = ';
print_r($_POST);
echo '</pre>';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment