Form Builder - display captured data on redirect page?

By Toledoh - July 21, 2020 - edited: July 21, 2020

Hi All.

I'm currently using Form Generator to have a fairly basic web-form.  When submitted without error, the page redirects to a thank-you page.

// on success
redirectBrowserToURL("https://domain.com.au/thanks/");
exit;
}

Is there a simple way to display the data that they entered in the form, on that confirmation page?

ie. can we use the $_REQUEST['first_name'] and display "Thank you [name] for submitting"

Cheers,

Tim (toledoh.com.au)

By Codee - July 24, 2020

This would be helpful...and cool! I was literally JUST going through this myself. Interactive Tools: Please post any detailed reply or mod changes to this.

By Toledoh - July 26, 2020

Excellent - thanks Daniel!

Cheers,

Tim (toledoh.com.au)

By Codee - November 12, 2020

Daniel, does using GET in this manner (to pass personal data via the url) open up a security hole (as opposed to some way using POST)?

By daniel - November 12, 2020

Hi equinox,

In general, to a dedicated attacker, the difference between GET and POST is negligible. So, when escaping/validating incoming data, it should be assumed that any attack possible with one method will be possible with the other.

If the concern is about exposing personal information, both methods will be equally encrypted by HTTPS during transfer (assuming HTTPS is being used). The one potential difference is that a URL with GET parameters can be saved in a user's browser history, so I would avoid using it for data that is specifically sensitive or private.

Let me know if you have any other questions!

Thanks,

Daniel
Technical Lead
interactivetools.com

By Codee - November 12, 2020

The one potential difference is that a URL with GET parameters can be saved in a user's browser history, so I would avoid using it for data that is specifically sensitive or private.

THAT is what I was referring to. While I am no expert (for sure), it's been my understanding that using GET makes substitutions via the url (especially after the "?") fairly easy and should be avoided if possible. 

By daniel - November 12, 2020

Hi Equinox,

THAT is what I was referring to. While I am no expert (for sure), it's been my understanding that using GET makes substitutions via the url (especially after the "?") fairly easy and should be avoided if possible. 

Yes, it's true that it's easier to modify the contents of GET variables, and if there are no other considerations, I would recommend using POST instead of GET (for a number of reasons). I was mostly just trying to stress that this doesn't make data sent by POST implicitly more secure or trustworthy. The way I think of it is this: "GET could be changed by both curious and malicious users. POST will only be changed by malicious users." In either case, we assume the possibility that the values could be changed and validate/escape the data accordingly.

Case-by-case use of GET can be useful as it's much simpler to implement in certain situations (such as this one), but overall I agree POST should be the default approach.

Thanks!

Daniel
Technical Lead
interactivetools.com

By Codee - November 12, 2020

Thanks, Daniel!