Skip to content

Forms#

HTML forms are defined like this:

<form method="get | post" action="http://www.mywebsite/program.mvc"></form>

When a web form is submitted, the variables and their values are passed to the receiving program specified in the action attribute as name/value pairs when the form’s method attribute is get or post. These variables are received as global MivaScript variables named after the form fields.

Form Field Variables#

The <form> tag’s fields become global variables in the target MivaScript program. Hidden fields let you include data that isn’t visible to the user.

Custom Login Form
<form method="post" action="{ g.URL_program }">
  <input type="hidden" name="Action" value="LOGN">
  <input type="hidden" name="Screen" value="ACNT">

  <h3>Sign In</h3>
  <label for="Customer_Login">Username:</label>
  <input type="text"   name="Customer_Login" value="{ g.Customer_Login }"><br>

  <label for="Customer_Password">Password:</label>
  <input type="password" name="Customer_Password"><br>

  <input type="submit" value="Login">
</form>

Resulting Form Source#

When rendered, the form might look like:

<form method="post" action="http://www.mysite.com/login.mvc"></form>

Upon submission, the login.mvc program receives these globals: g.Store_code, g.Action, g.Customer_Login, and g.Customer_Password.

Embedding Hidden Variables#

Use <MvHIDE> to insert multiple hidden fields easily:

<form method="post" action="{ l.url_program_name }">
  <MvHIDE FIELDS="screen, action">
</form>

Security#

Form field variables can pose a security risk if untrusted input is passed directly into your script. It’s recommended to sanitize inputs with encodeentities(), and to trim or normalize them before use.

Sanitizing Input
<MvASSIGN NAME="g.Screen" VALUE="{ trim(encodeentities(g.Screen)) }">
<MvASSIGN NAME="g.Action" VALUE="{ trim(encodeentities(g.Action)) }">