i have a best practice question.
Students deliver their assignment via a sequence of acf forms in front-end.
The result is one post with many acf fields.
The forms:
1-Verify code (this is security, only student knows the verification code)
2-Identify (name, study-year, assigment)
3-Assignment meta (for this study-year, this assigment)
4-File upload
Depending on the study-year and assignment i know what AssignmentMetaForm i should Serve up. This can be one out of four different ones
I made a post-type=deliver.
I prefer the students to Press Save after every form. This creates or updates the post draft.
What is the best way to go through the sequence of the forms?
Should it be in one template, or several?
How do you do the ‘navigation’ from one form to the next?
Thank you.
i have simplified the data design.
There is one form Verify.
It is shown in a page.
User enters verify code.
This is checked against an Adminform (repeater) that has rows of AssignmentName, Studyyear, Verifycode.
When verifycode is correct i know what assigment, what year, student wants to deliver.
Via redirect student is send to a (1 out of many) post with name (for example):
Deliver_assignment_year1, or
Deliver_assignment_year2, or
Deliver_assignment_year3 etc
In everey Deliver_assignment i will check the verify code again.
Background:
Students are not user on the wordpress site, they just type in their name after the verify.
Students get the verify code in an email from there teacher. They can fill in assignment only once.
(i use latest acf pro version, and repeater)
How hack-proof is this?
i use php sessions for have the data known.
in the text above, the sentence should be:
Via a redirect the user is send to a (1 out of many) PAGE with the right forms. The page is of this sort: Page-new-post.
Hi @jaro
You’re probably fairly safe with this setup.
A few things I’d consider:
1. Make sure that ALL input data from the student is valid and escaped. Do not only rely on ACF for this but rather run it through your own checks too. For example if the code they should supply is numbers only make sure that the input value is a float (or int), strip all values of tags etc. etc.
2. Remember that emails can be compromised so it is probably also a good idea to set a time restriction for the verification code. For instance you could make the code invalid after 1h. That way you are sure it does not matter if a students email gets hacked later on etc.
3. Consider using shortlived WordPress transients for storing the data instead of PHP session? Or be sure to check up on your session security: http://php.net/manual/en/session.security.php
Beyond that I think your biggest possible flaws would be human error like not updating plugins, having unsecure passwords etc.
