What is the best way to identify which form has been submitted?

Question

Currently, when I design my forms, I like to keep the name of the submit button equal to the id of the form. Then, in my php, I just do if(isset($_POST['submitName'])) in order to check if a form has been submitted and which form has been submitted.

Firstly, are there any security problems or design flaws with this method?

One problem I have encountered is when I wish to overlay my forms with javascript in order to provide faster validation to the user. For example, whilst I obviously need to retain server side validation, it is more convenient for the user if an error message is displayed inline, upon blurring an input. Additionally, it would be good to provide entire form validation, upon clicking the submit button.

Therefore, when the user clicks on the form's submit button, I am stopping the default action, doing my validation, and then attempting to renable the traditional submit functionality, if the validation passes. In order to do this, I am using the form.submit() method but, unfortunately, this doesn't send the submit button variable (as it should be as form.submit() can be called without any button being clicked). This means my PHP script fails to detect that the form has been submitted.

What is the correct way to work around this? It seems like the standard solution is to add a hidden field into the form, upon passing validation, which has the name of form's id. Then when form.submit() is called, this is passed along in place of the submit button. However, this solution seems very ungraceful to me and so I am wondering whether I should:

a) Use an alternative method to detect which form has been submitted which doesn't rely rely on passing the submit button. If so what alternative is there? Obviously, just having an extra hidden field from the start isn't any better.

b) Use an alternative Javascript solution which allows me to retain my non-Javascript design. For example, is there an alternative to form.submit() which allows me to pass in extra data?

c) Suck it up and just insert a hidden field using Javascript.

UPDATE: I've accepted the correct answer but I just wanted to clarify my mistake here so it would be more helpful for others. I use Mootools and I very naively believed that when I used addEvent('submit' ...) I needed to immediately call event.stop() in order to prevent the from from being submitted. Actually this is not the case and I can just call event.stop() only if validation fails. Otherwise, the default submit gets fired, as usual, and using form.submit() becomes completely unnecessary.

Answer 1

You could send the forms to different handlers with action=file1.php and action=file2.php.

Are they processed using a bunch of the same code? Put that into separate files, include the commonalities, and write the unique bits in each of the handling files. Don't hack, organize.

For Javascript validation, don't halt the default action then resume, instead do this:

if (validation != valid) {
    return false;
}

That way if JS is turned off or the validation fails, the form action/event is intact and it behaves as expected, otherwise it bonks. And certainly, certainly retain server-side validation. That's the "real" validation, the client-side is only to please the user and save them time. Never rely on it for YOUR sake.

Answer 2

You can customize the action of the form to add a get key/value; such as action="formhandle.php?formid=10"