Hey there,
Just bought the personal version of Gravity Forms. Any chance we can set a field to read only? We want to be able to dynamically populate an order with a base cost but don't want to let them change that. Additionally, is it possible to somehow take a value and divide it by a number for example number "12" for a montly cost?
Thanks for this awesome product.
If you want to populate an order with a base cost but don't want to let them change it you can add a Product Field to your form, select Single Product and disable the Quantity field. This will make a Product with a quantity of 1 and a price you set that can't be changed/edited.
It's not a built in option to display price as a monthly cost. Anything like this would have to be done as a customization using jQuery and/or PHP hooks. Most likely jQuery if it's just a display element.
In prepopulating in the product field, the actual code that assigns the value is in the borwser address bar, therefore customers would be able to change the value manually.
Is there a suggestion that prevents tampering of this sort once it is populated?
Using jQuery you could change the field to be read-only; however, using a debug tool (like Firebug) a user could still edit the field so it would be important to validate the value server side as well.
Thanks again for a reply. I now mean when you pass a field across in the URL like &baseprice=300 the customer would potentially be able to edit any value passed in the URL themselves thus meaning that any read only fields would be pointless.
In my own opinion, I doubt any average user/customer would even look at the URL after opening a page however my friend did bring up this issue and it is a potential security flaw when dealing with money.
Passing the value in the query string isn't a good way to do what you want to do precisely because of what you described. You would want to use PHP to populate the value. Where is the value coming from?
Basically the concept is that a customer comes to the site, fills out a quote form. We then email them back manually a quote with a base cost for the site and a link to another form to add extras to their website. The base cost would ideally be inserted into the second form in a read only field which as per the above, we have actually achieved, however although not completely important we would still like help in how to go about this.
We have a team that have limited amounts of PHP knowledge so any help given would be appreciated.
Because passing data in the query string in plain text is able to be manipulated, if you can see it and understand it you can easily change it, you would have to approach this a different way. Unfortunately it would require more PHP knowledge to implement.
You would have to encrypt/hash the value of the base cost so it can't be manipulated. The link would pass a hashed value that isn't human readable. You would then have to write PHP code to decrypt/unhash that value on the 2nd form. So what you want to do is a little more complex and is going to take PHP knowledge to implement.
You might consider adding a hidden field to your quote form that would always be empty during the submission, but would be manually updated through the GF Edit Entry admin ( http://grab.by/9YWW ) with the base price you've determined for that entry.
Now, assuming that you know the entry ID of the quote form entry, you can use the gform_validation hook to query the GF entry database to confirm that the base price submitted form the second form is the same price you attached to the original quote entry.
This is an advanced customization of GF so you may need to hire a developer to assist you.
Would it be rude to ask the following?
a) Where would you put the code to unhash the value?
b) How would you insert the unhashed value into the form object that we need?
c) Would you be able to help choose a hash/algorithm to do this?
d) Could you help with any examples?
EDIT: After talking with a collegue, it would be pointless to validate using hidden fields, although a great idea because there are too many variables. We both love the idea of hashing or encrypting so once encrypted we would just like a small bit of help of where to put the dehash/decryption and how to put that decrypted data then into a form object value.
You would put all your custom code in your themes functions.php, which is where you would put any customizations that take advantage of hooks.
The problem is since you are manually sending the emails you need some way to generate the link that passes the encrypted value because that is outside of Gravity Forms.
All of the hooks/filters are documented in the Documentation area here:
http://www.gravityhelp.com/documentation/page/Developer_Docs
The easiest way to do this is you'd setup a hidden field to be populated dynamically (edit the field, select advanced tab, set it to be populated dynamically and give it a parameter name). The parameter name is what would be used in the query string to pass data to that field. This would now populate that field with the encrypted value that is passed to it in the query string.
Then you would use the gform_post_submission hook and use PHP to decrypt the value and store the true value in it's place.
But again as I noted above the issue is the initial encrypted value, by sending the emails manually you need some way to generate this value so you need to write PHP that will generate this for you. Which is outside the scope of Gravity Forms. But would be part of the code for decrypting the value because you'd need to know what method and how to decrypt the value based on how you encrypt it.
