I have an HTML form that calculates total quantity and price. I can put this total into an input field to be submitted. However, I don't want the user to be able to change it. If i put it in a div and display it, it's not submitted with the form.
How do I display the total and submit it without letting the user change it?
I'm probably missing something basic here. Any help appreciated.
I have an HTML form that calculates total quantity and price. I can put this total into an input field to be submitted. However, I don't want the user to be able to change it. If i put it in a div and display it, it's not submitted with the form.
How do I display the total and submit it without letting the user change it?
I'm probably missing something basic here. Any help appreciated.
Share Improve this question asked Jul 6, 2014 at 14:49 wibberdingwibberding 8353 gold badges10 silver badges17 bronze badges 3-
1
just give the input a
readonlyattribute...it's from the 90's. why would you want to submit something the server already knows anyway? – vsync Commented Jul 6, 2014 at 14:51 - vsync, This is it. Submit this as an answer and I'll choose it. It's for a client that wants it this way. – wibberding Commented Jul 6, 2014 at 14:56
- ok, done. you can now choose it – vsync Commented Jul 6, 2014 at 16:05
2 Answers
Reset to default 5If you want no security (via tamper prevention) use the readonly attribute:
HTML5
<input type="text" value="MY_DATE" readonly>
HTML4
<input type="text" value="MY_DATE" readonly="readonly" />
The type="text" can be omitted, but I personally find it helps newer developers see what type the input is at first glance.
Your best bet (for proper security) is to either encrypt or sign the data and send it as a hidden form element. Then once it es back to the server you can either decrypt it (to keep using it) or check the signature to ensure it hasn't been tampered with.
Then from a frontend point of view you can just make the data not an input (or readonly) and then you should be golden. The technique is used a lot by web frameworks such as CakePHP when it supplies the id in a hidden element, and signs it to ensure no tampering.
Server
signed = sha(date, salt);
Frontend
input[type="hidden"].value = signed;
input[type="text"][readonly].value = date;
Server (on submit)
if(signed === sha(POST[date], salt) {
//date has not changed
} else {
// date has changed
}
For a11y (accessibility) you should still use a form element when showing data related to what is being sent off, so using a text input is advised over a div.
Using readonly is far better off than disabled as disabled will remove the input from the request all together, resulting in your server not receiving it.
See here.
Here is a quick snippet of how to do it in PHP.
Server
$salt = '...'; //This should be stored securely in your application.
$date = ... //However you are storing your date.
$signed_date = hash('sha512', $salt . $date);
Frontend
<input type="hidden" value="<?php echo $signed_date; ?>" name="signed_date" />
<input type="text" value="<?php echo $date; ?>" readonly name="date" />
Server (on submit)
$salt = '...';
$date = &$_POST['date'];
$signed_date = &$_POST['signed_date'];
if(hash('sha512', $salt . $date) === $signed_date) {
echo "wooo!";
} else {
echo "ohhh";
}
Give the input a readonly attribute: