Creating Reliable and Secure Multi‐page forms

Basic Principles

• Use a table in an SQL database to store partially‐completed forms
• Don’t use cookies
• Don’t pass the entire contents of previous form pages to the server again
• Use your language’s object serialisation framework to store the information as it is submitted
• Break your server‐side storage into multiple sub‐arrays of a single array
• Validate all submitted data with server‐side validation scripts as each form part is submitted
• Validate that the combination of the newly submitted data with the existing data fits the logic of your form
• Some parts of your form may only be needed if the answer to a certain question is complete

Handling Validation

• Draw (by hand!) a map of all the different logical pathways that the validation logic must implement.