I have a view page where I have added a form having csrf token. Whenever I try to submit the form, the form gets submitted sometimes and sometime it shows error "The action you have requested is not allowed.". How to get rid of this error and enable the user to submit the form as many times as he can?
config.php
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'abhisuskart_stan';
$config['csrf_cookie_name'] = 'abhistan_cook';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
View page
<form method="POST" action="<?php echo base_url('user/signup');?>">
<input type="hidden" name="redirecturl" value="<?php echo $redirecto;?>">
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>">
<button type="submit" class="btn btn-outline-info btnsignup">Sign Up</button>
</form>
Related
I am using codeigniter for developing my website.When submitting form Iam variables separated with ? and &. I want variables separated with slashes like below.
Now getting like this
http://example.com/controller/method?id=22&sd=31
I want an url like below
http://example.com/controller/method/22/31
Html Code is given below
<form action="<?php echo base_url();?>controller/method" method="get">
<div class="form-group">
<select id="id" name="id" class="selectcl form-control" data-live-search="true" title="Pick Your place" >
<option value="22" >22</option>
</select>
</div>
<div class="form-group">
<input type="text" class="form-control" name="sd" id="sd" placeholder="Enter details" title="please choose">//getting values here by autocomplete
</div>
<div class="form-group">
<button type="submit" class="btn find" value="submit" ></i>Start </button>
</div>
</form>
Tried URI Routing and below
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
$config['function_trigger'] = 'm';
Please help me to find a solution.
change your form method get to post
<form id="form" action="<?php echo base_url('controller/method');?>" method="post">
add following jquery in the page.
$(function(){
$('button[type="submit"]').on('click', function(e){
e.preventDefault();
var id = $.trim($('#id').val());
var sd = $.trim($('#sd').val());
if(id.length > 0 && sd.length > 0){
var url_string = new URL($('#form').attr('action'));
window.location.href = url_string.href.concat(((url_string.href.endsWith('/')) ? '' : '/'),id,'/',encodeURIComponent(sd));
}
});
});
If you want to pass the value through URL, Try the below link:
Send form input value to URL
I am working on CodeIgniter custom form, In this form, I have used CSRF token after form submit I want to check in controller after form submit if CSRF token is valid or not, can anyone please help me for this issue?
PHP Form code
<form role="form" data-parsley-validate="" novalidate="" class="mb-lg" action="?c=
<?php echo isset($controller) ? $controller : "welcome"; ?>&m=login" method="post">
<div class="form-group has-feedback">
<input name="email" id="exampleInputEmail1" type="email" placeholder="Enter email" autocomplete="off" required class="form-control">
<span class="fa fa-envelope form-control-feedback text-muted"></span>
</div>
<div class="form-group has-feedback">
<input name="password" id="exampleInputPassword1" type="password" placeholder="Password" required class="form-control">
<span class="fa fa-lock form-control-feedback text-muted"></span>
</div>
<div class="clearfix">
<div class="pull-right">
Forgot your password?
</div>
</div>
<?php
$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);
?>
<input type="hidden" name="<?php echo $csrf['name'];?>" value="<?php echo $csrf['hash'];?>" />
<button type="submit" class="btn btn-block btn-primary mt-lg">Login</button>
</form>
CodeIgniter does this for you automatically. If it is not valid it will do a show_error with show_error('The action you have requested is not allowed.', 403);
Relevant functions can be found in the /system/core/security class, functions: csrf_verify() and csrf_show_error() (if invalid).
If you have understood by now, if you have csrf enabled in the config and you do not have the appropriate csrf hidden field or use form_open (which adds the field for you) then when you post the request it will fail with the above message. The same goes for AJAX requests - to automate this for ajax requests you can add this to the top of you page wherever there is an ajax request:
<script type="text/javascript">
token["<?php echo $this->security->get_csrf_token_name(); ?>"] = "<?php echo $this->security->get_csrf_hash(); ?>";
jQuery.ajaxSetup({data: token, type: "POST"});
</script>
I tried store data in a session using CI in my register function.
public function register(){
$firstname = $this->input->post('firstname');
$email= $this->input->post('email');
$dev_info = array('fname'=>$firstname, 'eaddress'=>$email);
$this->session->set_userdata($dev_info);
}
and in my other function verification I want to get the session data and pass to the view
public function verification(){
$data['fname'] = $this->session->userdata('fname');
$data['eaddress'] = $this->session->userdata('eaddress');
$this->load->view('index', $data);
}
and I want to save its value in input type
in the view
<input type="hidden" id="firstname" value="<?php echo $fname?>">
<input type="hidden" id="email" value="<?php echo $eaddress?>">
but i am having a hard time saving its value in an input everytime I check using view source. Please help!
you can get session variables one by one also
$first_name = $this->session->userdata('fname');
$email_address = $this->session->userdata('eaddress');
in view you can use these variables or you can write code for view like this
<input type="hidden" id="firstname" value="<?php echo $this->session->userdata('eaddress'); ?>">
<input type="hidden" id="email" value="<?php echo $this->session->userdata('fname')?>">
in controller create session for ur input data
$data['fname'] = $this->session->userdata('fname');
$data['eaddress'] = $this->session->userdata('eaddress');
in view retrieve the input data from the session by adding the value by set_value
<input type="hidden" id="firstname" value="<?php echo set_value('fname'); ?>">
<input type="hidden" id="email" value="<?php echo set_value('eaddress'); ?>">
<form id="login-form" action="brand-dashboard" method="post">
<span class"email">email</span>
<input type="email" name="email">
<span class"email">password</span>
<input type="password" name="password"><br><br>
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
<input type="submit" value="login">
</form>
this is in my view page..then in my route..
Route::get('/brand-dashboard','BrandsController#auth_brand_admin');
in my Brands controller..i use the method like
public function auth_brand_admin()
{
return ('sample text');
}
but i got error when submiting the form ..the error is..
MethodNotAllowedHttpException in RouteCollection.php
Change your code to this
Route::post('/brand-dashboard','BrandsController#auth_brand_admin');
It's because you register route with GET method but send POST request.
I have a settings form that I want to ensure the user doesnt make changes by mistake. When the user is done they will click the save button which will pop up a modal (Bootstrap modals) prompting the user to enter their password to continue with processing the original form.
If the password entered is correct then the first form is submitted, else the page is reloaded / redirected back to itself. The first form will include many fields, but i am just using the one for testing.
<form action="http://localhost.testing/render_confirm_with_password.php" method="POST" id="validation-form" class="form-horizontal confirm-form">
<div class="form-group">
<label for="deletion_reason" class="col-xs-3 col-lg-4 control-label">Enter Your Value</label>
<div class="col-sm-9 col-lg-6 controls">
<input type="text" name="value" placeholder="yourname#email.com" class="form-control" />
</div>
</div>
<div class="form-group">
<div class="col-sm-9 col-sm-offset-3 col-lg-6 col-lg-offset-4">
<!-- <button type="submit" class="btn btn-primary"><i class="icon-ok"></i> Process</button> -->
<button type="submit" class="btn btn-primary" data-toggle="modal" data-target="#password_confirm_modal" data-modal-type="password_confirm" data-modal-title="Delete Transaction" data-modal-text="Are you sure you want to delete this transaction?"><i class="icon-ok"></i> Process</button>
</div>
</div>
</form>
When the user clicks save it will pop up the modal with the form inside is as shown below. This form is processed using jQuery $.ajax()
<form action="#" method="POST" id="validation-form" class="form-horizontal">
<div class="modal-body">
<div class="form-group">
<label for="deletion_reason" class="col-xs-3 col-lg-4 control-label">Password</label>
<div class="col-sm-9 col-lg-6 controls">
<input type="text" name="password" id="password" placeholder="your password" class="form-control" />
</div>
</div>
<p>PASSWORD RESULT -> <span id="password_result"></span></p>
</div>
<div class="modal-footer">
<button class="btn" data-dismiss="modal" aria-hidden="true">Close</button>
<button id="password_confirm_submit" class="btn btn-primary">Process</button>
</div>
</form>
The ajax code is shown below. Once the modals process button is clicked it sets the password before posting it through to the php page to be processed. In the php I check if the password matches the stored password and echo back MATCH or NO MATCH which gets shown in the modal. If the ajax result equals MATCH I then process the first form with $('.confirm-form').submit(); Im sure I haven't done this in a secure manner.
$('#password_confirm_submit').click(function(e){
var password = $('#password').val();
e.preventDefault();
$.ajax({
type: 'POST',
data: {password: password},
url: 'http://localhost.testing/process_confirm_with_password.php',
success: function(result){
$('#password_result').html(result);
if(result == "MATCH"){
// process form_1
$('.confirm-form').submit();
}else{
// back to form_1
}
}
})
});
I tried redirecting from within the PHP if the passwords didnt match but it still processed form one.
Don't worry, its hard coded just for testing
$password = "password";
if(isset($_POST['password'])){
$pw = $_POST['password'];
if($password == $pw){
// process form_1
echo "MATCH";
}else{
// return to form_1
header('Location: http://localhost.testing/confirm_with_password.html');
echo "NO MATCH";
}
}else{
// return to form_1
echo "NOT SET";
}
What the header function in your PHP code that handles the AJAX request does, is it redirects only the AJAX request and not the page in your browser. Remove the redirect as it will not return to form 1.
If you want to close the bootstrap modal box when the password was entered incorrectly, you'd call $("#password_confirm_modal").modal("hide"); or location.reload(); to refresh/reload the page from within your AJAX callback in your else statement where you handle the incorrect password response, but using the latter you would lose all the data entered into the form.
Instead of doing either of the two you could display a warning in the modal box about the password having been entered incorrectly, and let the user try entering the password again. As for the security aspect, you might want to add the correct password as a hidden field into your original form just before it is submitted, so that when saving the actual data the password can be verified.