Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

greyed out text fields

  • 10-05-2006 1:40pm
    #1
    Registered Users, Registered Users 2 Posts: 224 ✭✭


    Hi Guys,

    Anybody know a quick way to make form text fields greyed, displaying info in them but to have them uneditable..

    Cheers


Comments

  • Closed Accounts Posts: 169 ✭✭akari no ryu


    Hi Guys,

    Anybody know a quick way to make form text fields greyed, displaying info in them but to have them uneditable..

    Cheers
    <input type="text" name="blah" disabled="disabled"/>
    
    With javascript, you edit this with
    myForm.blah.disabled=true;
    myForm.blah.disabled=false;
    


  • Registered Users, Registered Users 2 Posts: 1,169 ✭✭✭dangerman


    also readonly

    <input type="text" name="blah" readonly="readonly"/>


    i think disabled doesn't submit the info to the server, whereas readonly does. <-- i may be mixing this up with an application specific thing though.


  • Registered Users, Registered Users 2 Posts: 224 ✭✭The Mighty Dubs


    legendary


  • Closed Accounts Posts: 169 ✭✭akari no ryu


    dangerman wrote:
    also readonly

    <input type="text" name="blah" readonly="readonly"/>


    i think disabled doesn't submit the info to the server, whereas readonly does. <-- i may be mixing this up with an application specific thing though.
    I think you're right, actually. It's been a while since I've done any front end html stuff other than to work with js.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Correct, readonly does submit to the server.

    Be aware of security concerns. Let's say for example, you're coding a script for a User Control Panel where users can see their details. One detail is their access level.
    Unless the user has access level "Administrator", you don't want the users to be able to change this, but you do want them to see this.
    If you use "readonly", the access level field is submitted to the server along with any other changes. But the user can't change the access level field, right? Wrong. Plenty of handy plug-ins exist (I'm using one right now) that allow you to change fields from readonly to editable on-the-fly.
    If you use "disabled" (and don't use a "name" attribute), the field doesn't get submitted to the script, and you've closed off one possible avenue of hacking.


  • Advertisement
  • Closed Accounts Posts: 169 ✭✭akari no ryu


    seamus wrote:
    Correct, readonly does submit to the server.

    Be aware of security concerns. Let's say for example, you're coding a script for a User Control Panel where users can see their details. One detail is their access level.
    Unless the user has access level "Administrator", you don't want the users to be able to change this, but you do want them to see this.
    If you use "readonly", the access level field is submitted to the server along with any other changes. But the user can't change the access level field, right? Wrong. Plenty of handy plug-ins exist (I'm using one right now) that allow you to change fields from readonly to editable on-the-fly.
    If you use "disabled" (and don't use a "name" attribute), the field doesn't get submitted to the script, and you've closed off one possible avenue of hacking.
    I agree with Seamus. You really shouldn't be using a form element to store that kind of information, that's what sessions were made for :)


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    I agree with Seamus. You really shouldn't be using a form element to store that kind of information, that's what sessions were made for :)

    Actually, after reading Seamus' post this morning, I checked this on a system I wrote for work, and sure enough was able to do exactly what he said.

    Sessions can help, but you have to use them correctly. For instance, I viewed the source of the form and saved it to my PC. I amended the HTML so the "action" of the form was pointing to the original one on the webserver. I changed the value of the form fields to whatever I wanted, and hey presto - I could get admin access to the application :o

    I had been checking Session state, but all I had to do was log in to the system with one tab on Firefox, and execute the form in another tab so a session was active. Can't believe I had written such an insecure application - just glad that it's an internal app that doesn't contain and sensitive info.


  • Registered Users, Registered Users 2 Posts: 1,169 ✭✭✭dangerman


    eoin_s wrote:
    Sessions can help, but you have to use them correctly. For instance, I viewed the source of the form and saved it to my PC. I amended the HTML so the "action" of the form was pointing to the original one on the webserver. I changed the value of the form fields to whatever I wanted, and hey presto - I could get admin access to the application :o


    Yep. I've seen people forget this fact. In an ecommerce system.


Advertisement