How to create a search bar with 2 inputs - searchbar

I'm still kind of new to this and although I've searched the web (a lot) I can't seem to find any info on how to code a double input search bar.
My example being; one search bar for 'location' and the second for the 'product' they are looking for displayed inline with a single button to search.
Something like this:
https://www.gumtree.com/
If anyone could point me in the right direction or supply any information I would be very grateful,
Thank you

It seems you're learning the bases of interactions with users.
Basically, you need two things:
a form in your HTML page: <form method="GET|POST" action="YOUR_URL">, including text input fields: <input type="text" name="YOUR_NAME"> and a submit button: <input type="submit">
a script server-side, at URL "YOUR_URL", which will be called when a user submits the form. This is where you define appropriate actions to be taken with user entered data.
Assuming you'll be scripting in PHP (but there are other languages available, see what's installed on your server), your script has access to the returned form fields values in following arrays:
. $_POST (if sent from a method="POST"form),
. $_GET (if method="GET") and
. $_REQUEST (forget it for now).
For example, if your form method is POST, you'll get the value of <input type="test" name="email"> in your PHP script like this: $userMail = $_POST['email'];
It wouldn't make much sense to give further explanation here, there are plenty of tutorials and documentation on the web, now that you know what you're looking for ;-)
For example:
http://php.net/manual/en/tutorial.forms.php (official php doc, short but efficient)
http://www.w3schools.com/php/php_forms.asp and following chapters (easy start point).
Once you've got it working, pay special attention to unawaited characters that user could type and that could interfere in your code (especially quotes and special characters like "<>&"...).
Keywords: escape string, addslashes, htmlspecialchars, mysql_real_escape_string, etc... depending of what you then do with this data.
And if you're data is used in database queries, you should also check for keywords: sql injection, prepared statements.

Related

Parsing form arrays In Go

I need to be able to to something like this in my HTML forms:
<form method="POST">
<input type="text" name="cart[items][1][qty]" value="3"/>
<input type="text" name="cart[items][2][qty]" value="7"/>
<input type="submit" value="Update cart"/>
</form>
Problem is, if I print out r.Form (after r.ParseForm() of course!), it is revealed that Go parses it as separate strings - not the nested hierarchy I'm after.
I was able to find an alternative in http://www.gorillatoolkit.org/pkg/schema , however I'd be very interested in finding out if there's a native/vanilla solution, since I usually tend to try an limit external packages, if I don't need them.
To be more specific, in the above example I'd expect to get the entire nested slice/map, when I do r.Form["cart"], but that's obviously not how it works. The value I get is [].
Is using schema the best solution for this, or is it possible to achieve exactly what I'm after? If then, how would you do it? :-)
This syntax is actually is not standard de jure. It is used sometimes when the site backend is powered by PHP, but not very frequently.
I think that there is no reason for the standard Go library to support it.
Native solution exists in a sense that you have all the tools to implement it: string manipulations, etc. However, nowadays there is no point to implement it as you always can send task-specific JSON.
And even you insist on creating it, it will be not as simple as it is in PHP because Go is typed language and PHP is not. And accessing such structure will be not easy as you will have to implement it as map[string]interface{}, which is not the proper Go way (the Go way, BTW, is to typed data structures).

Purpose of web app input validation for security reasons

I often encounter advice for protecting a web application against a number of vulnerabilities, like SQL injection and other types of injection, by doing input validation.
It's sometimes even said to be the single most important technique.
Personally, I feel that input validation for security reasons is never necessary and better replaced with
if possible, not mixing user input with a programming language at all (e.g. using parameterized SQL statements instead of concatenating input in the query strings)
escaping user input before mixing it with a programming or markup language (e.g. html escaping, javascript escaping, ...)
Of course for a good UX it's best to catch input that would generate errors on the backand early in the GUI, but that's another matter.
Am I missing something or is the only purpose to try to make up for mistakes against the above two rules?
Yes you are generally correct.
A piece of data is only dangerous when "used". And it is only dangerous if it has special meaning in the context it is used.
For example, <script> is only dangerous if used in output to an HTML page.
Robert'); DROP TABLE Students;-- is only dangerous when used in a database query.
Generally, you want to make this data "safe" as late as possible. Such as HTML encoding when output as HTML to an HTML page, and parameterised when inserting into a database. The big advantage of this is that when the data is later retrieved from these locations, it will be returned in its original, unsanitized format.
So if you have the value A&B O'Leary in an input field, it would be encoded like so:
<input type="hidden" value="A& O'Leary" />
and if this is submitted to your application, your programming framework will automatically decode it for you back to A&B O'Leary. Same with your DB:
string name = "A&B O'Leary";
string sql = "INSERT INTO Customers (Name) VALUES (#Name)";
SqlCommand command = new SqlCommand(sql);
command.Parameters.Add("#Name", name];
Simples.
Additionally if you then need to give the user any output in plain text, you should retrieve it from your DB and spit it out. Or in JavaScript - you just JavaScript entity encode (although best avoided for complexity reasons - I find it easier to secure if I only output to HTML then read the values from the DOM).
If you'd HTML encoded it early, then to output to JavaScript/JSON you'd first have to convert it back then hex entity encode it. It will get messy and some developers will forget they have to decode first and you will have &amps everywhere.
You can use validation as an additional defence, but it should not be the first port of call. For example, if you are validating a UK postcode you would want to whitelist the alphanumeric characters in upper and lower cases. Any other characters would be rejected or removed by your application. This can reduce the chances of SQLi or XSS occurring on your application, but this method falls down where you need inputs to include characters that have special meaning to your output context (" '<> etc). For example, on Stack Overflow if they did not allow characters such as these you would be preventing questions and answers from including code snippets which would pretty much make the site useless.
Not all SQL statements are parameterizable. For example, if you need to use dynamic identifiers (as opposed to literals). Even whitelisting can be hard, sometimes it needs to be dynamic.
Escaping XSS on output is a good idea. Until you forget to escape it on your admin dashboard too and they steal all your admin's cookies. Don't let XSS in your database.

Where to find documentation for form field types?

I'm getting frustrated with my own inability to find a source of information regarding what options / attributes are to be used when defining the XML file for a form in a component.
The file I'm talking about might be located in /administrator/components/com_report_wiz/models/forms, as an example. It defines the field to be used in the admin form for a component. I used a component creator to build a sample component as a learning experience. It created an xml file in that folder which has fieldset elements that then contain field elements. This us then used with the getLabel and getInput methods of JForm to generate the form shown in the admin interface. That's terrific!
But, after spending hours Googleing everything I could think of, I still can't find any reference that shows what types of fields are available, and their parameters/options. I've found lot's of tutorials and such regarding creating custom field types, and that's been interesting.
In the file I'm looking at, for example, the following creates a simple text input field in the form:
<field name="rpt_appname" type="text"
label="COM_REPORT_WIZ_FORM_LBL_REPORT_RPT_APPNAME"
description="COM_REPORT_WIZ_FORM_DESC_REPORT_RPT_APPNAME"
default="None"
maxlength="100" />
I would love to find some reference that lists the different possible values for the "type" attribute, and the parameters that can be used with each.
I'm beginning to think I'm dumber than a box of rocks since I can't figure out where to find information on some of the most basic parts of Joomla! development. The docs that are auto-generated from the code are less than helpful to me since they don't explain the parameters to functions. It's nice to know what parameters a method/function expects, but it's more helpful to understand what those parameters are and contain.
The tutorials have been helpful, but are mostly too basic to use for more advanced features, or at least as a source of information. They have been great, and I really appreciate the effort the authors have put into them, but now that I've gone through them, I find it difficult to discover the info needed to write a proper, complex component. With a system as complex and extensive as Joomla, it seems that there should be a place to find out how to use the wonderful abilities it provides without having to resort to reading the source code.
Any suggestions about where to search, search terms would be greatly appreciated!!
The first starting point would be to look at the Joomla! Documentation - I know sometimes it is frustrating to use it, but give it a change. It gets better and better as we speak.
Typing in the search box text will get you to the page Text form field type. Also in the documentation you will find a list of Standard form field types.
My favourite way of doing is directly inspecting the code in JOOMLA_ROOT/libraries/joomla/form/fields for the needed form type. You get to see there all the parameters and quicklier understand why something does not work the way you think it should work.
Since you are new to Joomla, your questions might get a better attention at the Joomla! Q&A site.
Hope this answers your question.

How do I take each line of a text file and insert them into a web form? Specifically, for testing domain name availability

I wrote a Ruby script that appended "data" to the beginning of every word of the English dictionary, and then filtered out various strings using different parameters, and now I want to use a site like namecheap or gandi.net in order to take each of these strings and insert them into the domain name availability checker in order to determine which ones are available.
It is my understanding that this will involve making a POST HTTP request of some kind, as well as grabbing the element in question, but I don't really understand the dynamics of what to read about in order to do this kind of thing.
I imagine that after a few requests I will be limited, but as a learning exercise I am still curious as to how I would go about doing this.
I inspected the element (on namecheap) to see what the tag looked like, to find any uniquely identifiable class/id names that I could use to grab that specific part of the source, and found that inside a fieldset tag, there was a line of HTML that I can't seem to paste here, so here is a picture:
Thanks in advance for any guidance in helping me learn about web scripting!

HTML Purifier Codeigniter

I found several posts stating that xss_clean is not sufficient for sanitizing user input. Many of them suggested to use htmlpurifier in codeigniter.
I don't know what htmlpurifier exactly does and how it does. How to implement html purifier.
Please guide.
xss_clean actually isn't half bad, just don't expect it to be a magic bullet in the sense of 'I use xss_clean, now my whole website is secure'.
You still have to validate input and escape output. Simply put: you have to maintain control over what people can enter in your website, and you shouldn't trust anything that is in your database, so you escape the data before you use it or show it. If you use xss_clean and form validation for sanitizing the input and you escape the output before doing anything with it or showing it, you should be just fine.
Good reads:
Codeigniter xss_clean dilemma
and
http://codeigniter.com/forums/viewthread/188698

Resources