Submitted by When coding forms that include altering your database, there are basically two ways to do this, using the confirm box or add form tokens. There are already functions in the includes/functions.php file that are to be used for this:
confirm_box()
For sensitive operations always let the user confirm the action. For the confirmation screens, make use of the confirm_box() function.
When the user confirms to continue, the action will be completed, e.g. the submitted data will be processed.
- Code: Select all
confirm_box($check, $title = '', $hidden = '', $html_body = 'confirm_body.html', $u_action = '')
The parameters in the function:
$check = This is either 'true' or 'false'. false will display the confirm box, true checks if the action has been confirmed.
$title = The title/message that will appear in the confirm box.
Note: For the message text_CONFIRM is appendend to the title.
If a title cannot be found in language files, a default title is used.
If the title_CONFIRM cannot be found in the language files, the $user->lang that is put in the function is used.
$hidden = This variable is to build your hidden variables to carry over when confirming your action.
$html_body = Template for the confirm box, default is confirm_body.html.
$u_action = A custom form action can be entered here, otherwise it is using the last page the user was on.
A simple example of a confirm_box:
- Code: Select all
if ($submit)
{
if (confirm_box(true))
{
//action the stuff and do the alterations to the DB...
}
else
{
confirm_box(false, $user->lang['CONFIRM_OPERATION'], build_hidden_fields(array(
'id' => $id,
'u' => $user_id,
'action' => $action))
);
}
}
add_form_key() and check_form_key()
For all other instances where you use a form and not already the confirm_box(), you will need to verify a form token by using the add_form_key() and the check_form_key().
add_form_key()
To set the key you make use of the function add_form_key($form_name) whereby $form_name is a name defined by yourself like for example:
- Code: Select all
add_form_key('add_links');
This will create a form time and a form token which is used later to check the form key. Furtermore, it also creates a variable called {S_FORM_TOKEN} which needs to be placed in your template file like for example:
- Code: Select all
...
</p>
</fieldset>
{S_FORM_TOKEN}
</form>
check_form_key()
When you come to the part of submitting the data you will need to add the check_form_key.
- Code: Select all
check_form_key($form_name, $timespan = false, $return_page = '', $trigger = false, $minimum_time = false).
The parameters in the function:
$form_name = This needs to be the same name that was assigned using the add_form_key function.
$timespan = This will determine the maximum acceptable age for a submitted form (in seconds). If you do not use that field, the default value of the config is used.
$return_page = Here you can enter an address for a return link.
$trigger = If set to yes, this will trigger an error when encountering an invalid form.
$minimum_time = Similar to the $timespan but this determines the minimum acceptable age for a submitted form (in seconds). If the field is not used, the default of the config is used.
A quick example for the add_form_key and check_form_key function together:
- Code: Select all
add_form_key('add_links');
if ($submit && !check_form_key('add_links'))
{
trigger_error('FORM_INVALID');
}
Information of the above can also be found in the phpbb coding guidelines