Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

greyed out text fields

Options
  • 10-05-2006 2:40pm
    #1
    The Mighty Dubs
    Registered Users Posts: 224 ✭✭


    Hi Guys,

    Anybody know a quick way to make form text fields greyed, displaying info in them but to have them uneditable..

    Cheers


Comments

  • Options
    #2
    akari no ryu
    Closed Accounts Posts: 169 ✭✭akari no ryu


    The Mighty Dubs wrote:
    Hi Guys,

    Anybody know a quick way to make form text fields greyed, displaying info in them but to have them uneditable..

    Cheers
    <input type="text" name="blah" disabled="disabled"/>
    With javascript, you edit this with 
    myForm.blah.disabled=true;
myForm.blah.disabled=false;


  • Options
    #3
    dangerman
    Registered Users Posts: 1,169 ✭✭✭dangerman


    also readonly

    <input type="text" name="blah" readonly="readonly"/>


    i think disabled doesn't submit the info to the server, whereas readonly does. <-- i may be mixing this up with an application specific thing though.


  • Options
    #4
    The Mighty Dubs
    Registered Users Posts: 224 ✭✭The Mighty Dubs


    legendary


  • Options
    #5
    akari no ryu
    Closed Accounts Posts: 169 ✭✭akari no ryu


    dangerman wrote:
    also readonly

    <input type="text" name="blah" readonly="readonly"/>


    i think disabled doesn't submit the info to the server, whereas readonly does. <-- i may be mixing this up with an application specific thing though.
    I think you're right, actually. It's been a while since I've done any front end html stuff other than to work with js.


  • Options
    #6
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    Correct, readonly does submit to the server.

    Be aware of security concerns. Let's say for example, you're coding a script for a User Control Panel where users can see their details. One detail is their access level.
    Unless the user has access level "Administrator", you don't want the users to be able to change this, but you do want them to see this.
    If you use "readonly", the access level field is submitted to the server along with any other changes. But the user can't change the access level field, right? Wrong. Plenty of handy plug-ins exist (I'm using one right now) that allow you to change fields from readonly to editable on-the-fly.
    If you use "disabled" (and don't use a "name" attribute), the field doesn't get submitted to the script, and you've closed off one possible avenue of hacking.


  • Advertisement
  • Options
    #7
    akari no ryu
    Closed Accounts Posts: 169 ✭✭akari no ryu


    seamus wrote:
    Correct, readonly does submit to the server.

    Be aware of security concerns. Let's say for example, you're coding a script for a User Control Panel where users can see their details. One detail is their access level.
    Unless the user has access level "Administrator", you don't want the users to be able to change this, but you do want them to see this.
    If you use "readonly", the access level field is submitted to the server along with any other changes. But the user can't change the access level field, right? Wrong. Plenty of handy plug-ins exist (I'm using one right now) that allow you to change fields from readonly to editable on-the-fly.
    If you use "disabled" (and don't use a "name" attribute), the field doesn't get submitted to the script, and you've closed off one possible avenue of hacking.
    I agree with Seamus. You really shouldn't be using a form element to store that kind of information, that's what sessions were made for :)


  • Options
    #8
    Eoin
    Registered Users Posts: 21,257 ✭✭✭✭Eoin


    akari no ryu wrote:
    I agree with Seamus. You really shouldn't be using a form element to store that kind of information, that's what sessions were made for :)

    Actually, after reading Seamus' post this morning, I checked this on a system I wrote for work, and sure enough was able to do exactly what he said.

    Sessions can help, but you have to use them correctly. For instance, I viewed the source of the form and saved it to my PC. I amended the HTML so the "action" of the form was pointing to the original one on the webserver. I changed the value of the form fields to whatever I wanted, and hey presto - I could get admin access to the application :o

    I had been checking Session state, but all I had to do was log in to the system with one tab on Firefox, and execute the form in another tab so a session was active. Can't believe I had written such an insecure application - just glad that it's an internal app that doesn't contain and sensitive info.


  • Options
    #9
    dangerman
    Registered Users Posts: 1,169 ✭✭✭dangerman


    eoin_s wrote:
    Sessions can help, but you have to use them correctly. For instance, I viewed the source of the form and saved it to my PC. I amended the HTML so the "action" of the form was pointing to the original one on the webserver. I changed the value of the form fields to whatever I wanted, and hey presto - I could get admin access to the application :o


    Yep. I've seen people forget this fact. In an ecommerce system.


Advertisement