Reading many articles on securing PHP, most of them say that it is safest, or good practice to have the form action on a different page to the form, form.php and formaction.php. Why is this?
@maverukJul 31.2008 — #I've never heard of that before. I guess it could be to prevent you getting the form back up, but that's not necessarily a bad thing. If you haven't entered a password and you end up being shunted to formaction.php, you'd probably lose your information if not get nagged about posting information by your browser.
Javascript is a good way around it by verifying fields before submission, but it's not always reliable, for example, browsers that don't support it or users who have it switched off can get passed it.
Either way, security wouldn't be improved or reduced as a result.
I tend to do something like...
[code=php] if (isset($_POST['submitform']) && $_POST['submitform'] = 'submitted') {
$submitData = 'Y'; }
if ($submitData == 'Y') { // check password, data validation, etc...
// problems? { $submitData = 'N'; $message = 'Your password did not match or was too short'; }
if ($submitData == 'Y') { // Save data to database...
header(Location: newpage.php); }
}
echo $message; // show form
[/code]
That way, if there's an error you retain your details for correction, and once the form has been updated successfully, it moves you to a new page so hitting back on the browser won't post twice (the check at the top will return false since submitform will be empty)
I find that's the easiest way to do it.. Problems with hitting back on the browser are avoided completely. Security issues? I don't really see any.
