I'm having trouble with Instant Payment Notification on PayPal. One of
the forms that they generate, which invokes one of my scripts, has a
submit button with a blank name. The HTML fragment is this:
<input type="submit" name="" value="Continue">
This causes the FORMDATA that is sent to my script to start like this:
=Continue&nextparam=value&....
My initial reaction was that this can't possibly be valid HTML, but I
put together a brief page including such a field and submitted it to
W3.ORG's validator, and it was reported as "tentatively valid". So now
I'm led to believe that having a blank name on an input field is
valid.
But how is the received script supposed to parse it? What is the name
of the field? Is the receiving script expected to just invent some
random name?
Thanks for any light anyone can shed on this.
5  2305 
On Mon, 5 Sep 2005, Clive Backham wrote: I'm having trouble with Instant Payment Notification on PayPal. One
of the forms that they generate, which invokes one of my scripts,
has a submit button with a blank name. The HTML fragment is this:
<input type="submit" name="" value="Continue">
This causes the FORMDATA that is sent to my script to start like
this:
=Continue&nextparam=value&....
My initial reaction was that this can't possibly be valid HTML, but
I put together a brief page including such a field and submitted it
to W3.ORG's validator, and it was reported as "tentatively valid".
Presumably, the "tentative" had some other cause than this...?
So now I'm led to believe that having a blank name on an input field
is valid.
I think it probably is. Validity is good, but it's only part of the
story, and in this case it's rather a small part of the story...
Really, if you're interested in the server-side activity, then the
question of what is or isn't "valid" HTML (interesting as it might be
for its own sake) is NOT your major problem.
Server-side form evaluation *needs* to be ironclad and fully defended
against anything, and I do mean ANYTHING, that can be thrown at it,
bearing in mind that a malicious user could write their own HTML form
if they cared to, and submit it to your server. Or worse. If your
server side process can be fooled by that, then you have a security
compromise in the making: just how serious that might be depends on
what the activity is. If it's about money, then it could be serious.
But how is the received script supposed to parse it?
By executing some code?
Sorry, but this -is- a serious matter. If you don't feel up to
tackling it yet, then there's no harm in asking, and doing some
exercises; but please don't put it on the live web until it's
battle-hardened. Which really isn't an HTML problem as such (you'd be
more at home on a group that handles server-side processing - maybe
comp.infosystems. www.authoring.cgi - beware its automoderation bot).
good luck
Clive Backham wrote: I'm having trouble with Instant Payment Notification on PayPal. One of
the forms that they generate, which invokes one of my scripts, has a
submit button with a blank name. The HTML fragment is this:
<input type="submit" name="" value="Continue">
This causes the FORMDATA that is sent to my script to start like this:
=Continue&nextparam=value&....
My initial reaction was that this can't possibly be valid HTML, but I
put together a brief page including such a field and submitted it to
W3.ORG's validator, and it was reported as "tentatively valid". So now
I'm led to believe that having a blank name on an input field is
valid.
The name attribute is not required for input elements to conform to the
HTML DTD. The value of the attribute is CDATA, therefore an empty
string is valid. Therefore not having a name attribute, or having a
name attribute with a value that is an empty string, is valid HTML.
However, a name attribute is required for a form control to be
successful. If it doesn't have a name, its value will not be sent when
the form is submitted. In your case the name is an empty string, so the
submit button's delimited name/value pair is: &=continue
But how is the received script supposed to parse it? What is the name
of the field? Is the receiving script expected to just invent some
random name?
Presumably your receiving script will parse the returned record and
extract name/value pairs. How you deal with missing names is up to you,
but as Alan suggests, you really need specialist help when it comes to
e-commerce sites and payment systems - they must be utterly bullet-proof.
Thanks for any light anyone can shed on this.
--
Rob
It may be valid html but why not give it a name?
Also be aware that it breaks accessability rules as it is as test and
sound and braille browsers (etc) may not be able to convey the meaning
of the button to the user.
Clive Backham wrote: But how is the received script supposed to parse it? What is the name
of the field?
It was a submit button. The control has only one possible value for
a given form[1], and it is not relevant to the processing script.
In any case, "" is a perfectly legitimate value for a string, and is
not a problem to parse.
[1] Given that, for this purpose we have no interest in someone who
hacks up a request that doesn't come from the form and a browser.
--
Nick Kew
Thanks to everyone for their help with this. I was basically just
trying to find out whether a blank name attribute in an input tag is
valid. Now that I know that it is, I have fixed the parsing in my web
server scripting.
One of you mentioned that the scripting needs to be bullet-proof.
I agree. It's just that sometimes the kind of bullets that arrive are
unpredictable.
Interestingly, the problem didn't arise when the submitting browser
was Internet Explorer: it seems to treat an explicitly blank name
attribute as if the attribute were not present at all, and doesn't
send that field in the formdata. I presume that Firefox's behaviour is
correct.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Me |
last post by:
I need to test for blank inputs and run a routine "if" the input is
blank. This will be used internally on a LAN to calculate selling price
if the "sell" input is blank and a margin is supplied,...
|
by: Don Leverton |
last post by:
Hi Folks,
I have been given a CD with approx 130 .xls files (bean-counters!) that I
would like to import and merge to ONE table (tblTradeshow).
The XL files are *similarly*, but not...
|
by: David Cameron |
last post by:
I noticed
that using an HTMLInputRadioButton and specifying a value to be an empty
string (""), this is overridden by ASP.Net which set the value of the
control to be the same as the ID of the...
|
by: shocron |
last post by:
problem: input values not recognized in dinamicly loaded IFRAMEs
here is the thing I have a parent window that has an IFRAME
I then load a diffrent page into the IFRAME that contains an input
...
|
by: Phil Latio |
last post by:
I've been creating an application over the last few weeks and generally
pleased with what I have produced but one area is irritating me, form
validation.
At the moment the forms are simply...
|
by: groups2 |
last post by:
When you press the down key while in an input field the default
behavior for some event creates a dropdown of the previously input
text.
What event creates that behavior and how do I stop it ?
...
|
by: mark |
last post by:
Forgive me if this seems like a stupid question but I need help...
I'm trying to do a simple online form that emails me the results from
a few fields.
Here is the code:
<form...
|
by: Rambaldi |
last post by:
Wassup!!!
<tr>
<td>
<!-- MAX_FILE_SIZE must precede the file input field -->
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
<!-- Name of input element determines name...
|
by: Jack Gray |
last post by:
I have a form requiring data input for all fields. When any field is left blank and the data is submitted, the cgi file generates a new form which is populated with data already input and an error...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
