|Subject:||Re: Can an input field have a blank name?|
|Posted by:||Alan J. Flavell (flave…@ph.gla.ac.uk)|
|Date:||Mon, 5 Sep 2005|
On Mon, 5 Sep 2005, Clive Backham wrote:
> I'm having trouble with Instant Payment Notification on PayPal. One
> of the forms that they generate, which invokes one of my scripts,
> has a submit button with a blank name. The HTML fragment is this:
> <input type="submit" name="" value="Continue">
> This causes the FORMDATA that is sent to my script to start like
> My initial reaction was that this can't possibly be valid HTML, but
> I put together a brief page including such a field and submitted it
> to W3.ORG's validator, and it was reported as "tentatively valid".
Presumably, the "tentative" had some other cause than this...?
> So now I'm led to believe that having a blank name on an input field
> is valid.
I think it probably is. Validity is good, but it's only part of the
story, and in this case it's rather a small part of the story...
Really, if you're interested in the server-side activity, then the
question of what is or isn't "valid" HTML (interesting as it might be
for its own sake) is NOT your major problem.
Server-side form evaluation *needs* to be ironclad and fully defended
against anything, and I do mean ANYTHING, that can be thrown at it,
bearing in mind that a malicious user could write their own HTML form
if they cared to, and submit it to your server. Or worse. If your
server side process can be fooled by that, then you have a security
compromise in the making: just how serious that might be depends on
what the activity is. If it's about money, then it could be serious.
> But how is the received script supposed to parse it?
By executing some code?
Sorry, but this -is- a serious matter. If you don't feel up to
tackling it yet, then there's no harm in asking, and doing some
exercises; but please don't put it on the live web until it's
battle-hardened. Which really isn't an HTML problem as such (you'd be
more at home on a group that handles server-side processing - maybe
comp.infosystems.www.authoring.cgi - beware its automoderation bot).
Can an input field have a blank name? posted by Clive Backham on Mon, 05 Sep 2005