Skip Navigation

[Resolved] Prevent modification of form input fields

This support ticket is created 6 years, 1 month ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 -
- 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 -

Supporter timezone: Europe/London (GMT+00:00)

This topic contains 16 replies, has 2 voices.

Last updated by udais 6 years, 1 month ago.

Assisted by: Nigel.

Author
Posts
#1139461
7.png
6.png
5.png
4.png
3.png
2.png
1.png

1. I have added custom field age in post type posts
2. I have created a custom post personal details with following cusum field:
user id ,post id and age
3. I created a form for adding data in custom post type personal details and Created layout for single post and add this form to layout.
4. Form fields are filled automatically user-id with current logged in user id, post-id with current post and age with custom field age.
5. I made form fields read only to prevent editing by user.

Every this works fine. i have made form fields read only but user may edit it by inspect element. I want to prevent editing form by inspect element or any other method. I want to check after clicking submit button on form if form input data does not match means user id with form input field user id , post id with current post id, and input field age with cusum field age then prevent creating post in custom post personal details without javascript and without hiding input fields.

What is the link to your site?
hidden link

#1140282

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi there

There are two types of form validation, client-based (i.e. in the browser) or server-based.

Any kind of client-based solution is vulnerable to being bypassed by your users.

The only kind of certain validation is server-based validation, i.e. after the form has been sent from the browser to the server.

For server-based validation we have the cred_form_validate API hook available: https://toolset.com/documentation/programmer-reference/cred-api/#cred_form_validate

If you use the More button it will show examples of using the hook to check custom field values and setting form error messages if they fail some test.

Try that, and if you get stuck let me know.

#1140423

Hello Nigel
I have gone through link https://toolset.com/documentation/programmer-reference/cred-api/#cred_form_validate and example. but i am really stuck. plz help to validate.

Thanks

#1140425

Hello Nigel
solution is server side validation. Help to validate use.
Thanks

#1141341

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

I re-read your description and I want to clarify how this is set up before I propose a solution.

Standard posts have an age custom field.

The template to display single posts includes a form to publish "personal detail" posts.

That form includes fields for user-id (automatically set to the current user id), post-id (set to the id of the post where the form is displayed), and also age (the value of which comes from the same field of the standard post where the field is displayed).

Is that right?

Is there any user-entered data in the form or is all of the form content automatically set?

For your automatically set fields, you might not want to "validate" the form (which means sending an error message if one of the fields isn't correct). You could simply set the values automatically on the server (and you wouldn't need to even include the fields which are automatically set in the form in the first place).

#1141383

Hello Nigel

you understood correctly.

1.Yes- Standard posts have an age custom field.
2. yes- That form includes fields for user-id (automatically set to the current user id), post-id (set to the id of the post where the form is displayed), and also age (the value of which comes from the
same field of the standard post where the field is displayed).
3. content automatically set No user entered data- Is there any user-entered data in the form or is all of the form content automatically set?

4. all fields are automatically set.
You could simply set the values automatically on the server (and you wouldn't need to even include the fields which are automatically set in the form in the first place).

i don't need any input from user.

Thanks

#1141388

Hello Nigel

If you need access to site i can give.

Good Night

Thanks

#1141422

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

OK, we shouldn't need to add the fields to the form even.

But does the form include a post title field? Or are you happy that it will be auto-generated?

#1141492

Hello Nigel

I yes include the title field same title as title of post (post type post) (auto generated).

Thanks

#1142145

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

I wrote a snippet of code that you can use which I tested and confirm works.

You can add this code at Toolset > Settings > Custom Code:

/**
 * Update fields of personal details post
 */
function tssupp_set_personal_details($post_id, $form_data) {

	if (in_array($form_data['id'], array(497))) {

		// $post_id is the id of the new personal details post
		// $source_post_id is the id of the post from where the form was submitted

		$source_post_id = $form_data['container_id'];
		$user_id = get_current_user_id();
		$age = get_post_meta($source_post_id, 'wpcf-age', true);


		update_post_meta( $post_id, 'wpcf-age', $age );
		update_post_meta( $post_id, 'post_id', $source_post_id );
		update_post_meta( $post_id, 'user_id', $user_id );
	}
}
add_action('cred_save_data', 'tssupp_set_personal_details', 10, 2);

You will need to edit the id of the form ( 497 in my example), and I am also not sure what post meta keys you intend to use for the various fields you add to the personal details post, but it should be clear in the code where these are set so that you can change them as required.

#1142215

Hello Nigel

Thanks. I changed fields as per my post fields. working. but title is auto generated as

"CRED Auto Draft 87b2328fec107663840c1722f048e3ec"

I need same title as title of post(post type post) and same url(custom field in personal details) as url of current post(post type post).

Thanks

#1142272
tille.png

Hello Nigel

i have add following code also
$source_post_title=get_the_title($source_post_id);
$source_post_url=get_post_permalink($source_post_id);

update_post_meta( $post_id, 'wpcf-post-title', $source_post_title );
update_post_meta( $post_id, 'wpcf-post-url', $source_post_title );

post-url & post-title fields(not default title of personal details) updated successfully but title is auto generated like: CRED Auto Draft 87b2328fec107663840c1722f048e3ec

snapshot attached. i want to update title maked in black box in screenshot

Thanks

#1142303

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

You can set the title automatically in the form itself.

Edit your form and find the post title field and use the value attribute to set it to the title of the post where the form is inserted like so:

		[cred_field field="post_title" class="form-control" output="bootstrap" value="[wpv-post-title]"]
#1142350

Hello NIgel

I want to set title from server side not client side because user may modify even field is hidden or readonly like you already given solution for age custom field.

Thanks

#1142400

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

OK. Well, the post title isn't postmeta, you can't get it or update it using get_post_meta or update_post_meta.

You have the id of the source post, so you can get the post title using get_the_title(), and then you can update the new post (for which you also have the post id) using wp_update_post.

See
https://developer.wordpress.org/reference/functions/get_the_title/
and
https://developer.wordpress.org/reference/functions/wp_update_post/