What is getBlockHtml('formkey')?
https://magento.stackexchange.com//questions/43962
-
12-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I am trying to edit the product edit page (first tab) in Magento and would like to move the quantity (as well as a few other things) from their respective tabs up to the first page. I see
<form action="<?php echo $this->getSaveUrl() ?>" method="post" id="product_edit_form" enctype="multipart/form-data">
<?php echo $this->getBlockHtml('formkey')?>
<div style="display:none"></div>
</form>
and know that the code for the quantity textbox is
<tr>
<td class="label"><label for="inventory_qty"><?php echo Mage::helper('catalog')->__('Qty') ?><span class="required">*</span></label></td>
<td class="value">
<?php if (!$_readonly):?>
<input type="hidden" id="original_inventory_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][original_inventory_qty]" value="<?php echo $this->getFieldValue('qty')*1 ?>"/>
<?php endif;?>
<input type="text" class="input-text required-entry validate-number" id="inventory_qty" name="<?php echo $this->getFieldSuffix() ?>[stock_data][qty]" value="<?php echo $this->getFieldValue('qty')*1 ?>" <?php echo $_readonly;?>/>
</td>
<td class="value scope-label"><?php echo Mage::helper('adminhtml')->__('[GLOBAL]') ?></td>
</tr>
Does anyone know where the code for the first tab is? Does it have something to do with formkey?
Thanks!
Solução
Form keys in Magento are a means of preventing against Cross Site Request Forgery - explained brilliantly by Ashley Schroder here but, in short, it's to keep you safe from people trying to post to your forms (like add to cart) from other sites posing as you.
This can be dangerous because someone could theoretically create their own form and post to any form handler controller action in your store without you even being aware. CSRF protection essentially ignores any post which fail a check on the included form_key parameter with the form post.
So, what does <?php echo $this->getBlockHtml('formkey')?> do? It tells Magento to look for a layout block with the name "formkey" and output it. In Magento this is
usually some file which has this in it:
<div><input name="form_key" type="hidden" value="<?php echo Mage::getSingleton('core/session')->getFormKey() ?>" /></div>
This instructs Magento to output and store a unique form key for a user session. All CSRF-protected Magento controller actions will verify against this before doing anything of value.
HTH!
