I'm having trouble with Instant Payment Notification on PayPal. One of
the forms that they generate, which invokes one of my scripts, has a
submit button with a blank name. The HTML fragment is this:
<input type="submit" name="" value="Continue">
This causes the FORMDATA that is sent to my script to start like this:
=Continue&nextparam=value&....
My initial reaction was that this can't possibly be valid HTML, but I
put together a brief page including such a field and submitted it to
W3.ORG's validator, and it was reported as "tentatively valid". So now
I'm led to believe that having a blank name on an input field is
valid.
But how is the received script supposed to parse it? What is the name
of the field? Is the receiving script expected to just invent some
random name?
Thanks for any light anyone can shed on this.
5  2271 
On Mon, 5 Sep 2005, Clive Backham wrote: I'm having trouble with Instant Payment Notification on PayPal. One
of the forms that they generate, which invokes one of my scripts,
has a submit button with a blank name. The HTML fragment is this:
<input type="submit" name="" value="Continue">
This causes the FORMDATA that is sent to my script to start like
this:
=Continue&nextparam=value&....
My initial reaction was that this can't possibly be valid HTML, but
I put together a brief page including such a field and submitted it
to W3.ORG's validator, and it was reported as "tentatively valid".
Presumably, the "tentative" had some other cause than this...?
So now I'm led to believe that having a blank name on an input field
is valid.
I think it probably is. Validity is good, but it's only part of the
story, and in this case it's rather a small part of the story...
Really, if you're interested in the server-side activity, then the
question of what is or isn't "valid" HTML (interesting as it might be
for its own sake) is NOT your major problem.
Server-side form evaluation *needs* to be ironclad and fully defended
against anything, and I do mean ANYTHING, that can be thrown at it,
bearing in mind that a malicious user could write their own HTML form
if they cared to, and submit it to your server. Or worse. If your
server side process can be fooled by that, then you have a security
compromise in the making: just how serious that might be depends on
what the activity is. If it's about money, then it could be serious.
But how is the received script supposed to parse it?
By executing some code?
Sorry, but this -is- a serious matter. If you don't feel up to
tackling it yet, then there's no harm in asking, and doing some
exercises; but please don't put it on the live web until it's
battle-hardened. Which really isn't an HTML problem as such (you'd be
more at home on a group that handles server-side processing - maybe
comp.infosystems. www.authoring.cgi - beware its automoderation bot).
good luck
Clive Backham wrote: I'm having trouble with Instant Payment Notification on PayPal. One of
the forms that they generate, which invokes one of my scripts, has a
submit button with a blank name. The HTML fragment is this:
<input type="submit" name="" value="Continue">
This causes the FORMDATA that is sent to my script to start like this:
=Continue&nextparam=value&....
My initial reaction was that this can't possibly be valid HTML, but I
put together a brief page including such a field and submitted it to
W3.ORG's validator, and it was reported as "tentatively valid". So now
I'm led to believe that having a blank name on an input field is
valid.
The name attribute is not required for input elements to conform to the
HTML DTD. The value of the attribute is CDATA, therefore an empty
string is valid. Therefore not having a name attribute, or having a
name attribute with a value that is an empty string, is valid HTML.
However, a name attribute is required for a form control to be
successful. If it doesn't have a name, its value will not be sent when
the form is submitted. In your case the name is an empty string, so the
submit button's delimited name/value pair is: &=continue
But how is the received script supposed to parse it? What is the name
of the field? Is the receiving script expected to just invent some
random name?
Presumably your receiving script will parse the returned record and
extract name/value pairs. How you deal with missing names is up to you,
but as Alan suggests, you really need specialist help when it comes to
e-commerce sites and payment systems - they must be utterly bullet-proof.
Thanks for any light anyone can shed on this.
--
Rob
It may be valid html but why not give it a name?
Also be aware that it breaks accessability rules as it is as test and
sound and braille browsers (etc) may not be able to convey the meaning
of the button to the user.
Clive Backham wrote: But how is the received script supposed to parse it? What is the name
of the field?
It was a submit button. The control has only one possible value for
a given form[1], and it is not relevant to the processing script.
In any case, "" is a perfectly legitimate value for a string, and is
not a problem to parse.
[1] Given that, for this purpose we have no interest in someone who
hacks up a request that doesn't come from the form and a browser.
--
Nick Kew
Thanks to everyone for their help with this. I was basically just
trying to find out whether a blank name attribute in an input tag is
valid. Now that I know that it is, I have fixed the parsing in my web
server scripting.
One of you mentioned that the scripting needs to be bullet-proof.
I agree. It's just that sometimes the kind of bullets that arrive are
unpredictable.
Interestingly, the problem didn't arise when the submitting browser
was Internet Explorer: it seems to treat an explicitly blank name
attribute as if the attribute were not present at all, and doesn't
send that field in the formdata. I presume that Firefox's behaviour is
correct.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Me |
last post by:
I need to test for blank inputs and run a routine "if" the input is
blank. This will be used internally on a LAN to calculate selling price
if the "sell" input is blank and a margin is supplied,...
|
by: Don Leverton |
last post by:
Hi Folks,
I have been given a CD with approx 130 .xls files (bean-counters!) that I
would like to import and merge to ONE table (tblTradeshow).
The XL files are *similarly*, but not...
|
by: David Cameron |
last post by:
I noticed
that using an HTMLInputRadioButton and specifying a value to be an empty
string (""), this is overridden by ASP.Net which set the value of the
control to be the same as the ID of the...
|
by: shocron |
last post by:
problem: input values not recognized in dinamicly loaded IFRAMEs
here is the thing I have a parent window that has an IFRAME
I then load a diffrent page into the IFRAME that contains an input
...
|
by: Phil Latio |
last post by:
I've been creating an application over the last few weeks and generally
pleased with what I have produced but one area is irritating me, form
validation.
At the moment the forms are simply...
|
by: groups2 |
last post by:
When you press the down key while in an input field the default
behavior for some event creates a dropdown of the previously input
text.
What event creates that behavior and how do I stop it ?
...
|
by: mark |
last post by:
Forgive me if this seems like a stupid question but I need help...
I'm trying to do a simple online form that emails me the results from
a few fields.
Here is the code:
<form...
|
by: Rambaldi |
last post by:
Wassup!!!
<tr>
<td>
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<!-- Name of input element determines name...
|
by: Jack Gray |
last post by:
I have a form requiring data input for all fields. When any field is left blank and the data is submitted, the cgi file generates a new form which is populated with data already input and an error...
|
by: lllomh |
last post by:
Define the method first
this.state = {
buttonBackgroundColor: 'green',
isBlinking: false, // A new status is added to identify whether the button is blinking or not
}
autoStart=()=>{
|
by: DJRhino |
last post by:
Was curious if anyone else was having this same issue or not....
I was just Up/Down graded to windows 11 and now my access combo boxes are not acting right. With win 10 I could start typing...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM)
The start time is equivalent to 19:00 (7PM) in Central...
|
by: tracyyun |
last post by:
Hello everyone,
I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
|
by: giovanniandrean |
last post by:
The energy model is structured as follows and uses excel sheets to give input data:
1-Utility.py contains all the functions needed to calculate the variables and other minor things (mentions...
|
by: Teri B |
last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course.
0ne-to-many. One course many roles.
Then I created a report based on the Course form and...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM)
Please note that the UK and Europe revert to winter time on...
|
by: NeoPa |
last post by:
Introduction
For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...
|
by: isladogs |
last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, Mike...
| |
