Version 4 > Developer's Guide > Forms

Forms

V4 has a number of new features available to all forms generated by FormBuilder.

Tooltips

Forms can implement Bootstrap tooltips, by including a tooltip parameter to the input methods. DBmap help attributes will be automatically used to make form tooltips on auto-generated forms.

Layouts

You can pass header and footer attributes to your FormBuilder object, and that content will be placed above and below your form.

You can override the layout of particular questions using qtemplate(). For example, to display a checkbox before the prompt for the waiver question, you could do this:

$form->qtemplate("waiver","<p>[[input]] [[prompt]]</p>");

This lets you avoid templating the whole form when you just want to treat one question differently.

Validation

Turn on jquery form validation to get better CSS highlighting of your missing form data:

form.jquery_validation = 1

If you submit with missing data, those fields will be highlighted on the regenerated form to better indicate which fields require your attention.

If your form has required fields, $config{form}{validation_footer} will automatically be appended to your footer. This can be used to automatically include required input instructions on every form that requires it. For example:

form.validation_footer = * These fields are required.

Security and Form Abuse

All forms generated by FormBuilder now track how old they are, and you can expire them to disable submissions. They track this information using an encrypted hidden input named _fbkey.

To use this feature, make the following call when processing data that has been posted to your form:

my $input = new ExSite::Input();
my $postdata = $input->post();
my $formstat = $input->validate_fbkey($postdata->{_fbkey});

validate_fbkey will return one of the following statuses:

  • ok - the form post is acceptable
  • old - the post comes from a form that is suspiciously old, but does not otherwise have an explicit expiry date
  • expired - the post comes from a form that is past its expiry date
  • missing - there is no fbkey in the form data; if one is expected, the form has been tampered with and should be rejected

This is useful for detecting form abuse such as

  • robots posting to old URLs or previously crawled/saved forms
  • XSS attacks that attempt to spoof your forms

To give your form an explicit expiry date/time, do something like this to your FormBuilder object when building your form:

$form->expires(10,"minutes");

# or

$form->expires(1,"month");

Note that if a form is expired, the system also throws away the post data.

You will not get an "expired" status for a form post if you do not set an explicit expiry time. You can still get an "old" status if the form age is greater than 7 days for static forms, and 24 hours for dynamic ones. The system doesn't throw away the data in this case; you have to judge for yourself what to do with it.

Static forms in general can grow quite old, so the form (or the page the form is embedded on) should be republished on a regular schedule (eg. daily or weekly) to refresh the key. Then a result of "old" will indicate something suspicious is happening even if you don't set an explicit expiry.