[thelist] Stopping a user submitting a form from the address bar using JS.

Joshua Olson joshua at waetech.com
Fri Dec 13 08:12:10 CST 2002


----- Original Message -----
From: "Craig" <cd-ml at aardvark.net.au>
Sent: Friday, December 13, 2002 6:55 AM


> The button is not a 'submit' button because after the script has validated
the
> input, the script itself submits the form.  However, if I open up this
page in
> a browser (IE6) and type 'javascript:document.forms[0].submit()' (without
the
> '), it will bypass the validation and submit the form.  How can I stop
this?

Here's a couple things you can try:

1.  Create a global JS variable (using the 'var' keyword) that will act as a
flag as to whether or not the form CAN be submitted.
2.  Check that flag in the onsubmit handler on the form.  If the flag is not
set, return false.
3.  Set this flag only if the validation succeeds, just prior to calling the
forms submit button.

While not completely fool proof (a user can still set the variable from the
url as well, if they are smart enough to put it together), it will keep some
otherwise honest people from submitting it from the url.  Granted, if they
are submitting from the url, they probably have the reason and the know-how
to break this system too.

-joshua




More information about the thelist mailing list