I am using CodeIgniter v 3.1.4. In one of the form, i have a text box to save urls (like https://stackoverflow.com/questions/ask, http://google.com etc.) into the MySql database.
Before save, i am sanitizing the urls like shown below:
Inside Constructor:
$this->load->helper('security');
Inside Add function:
$hlt_url = $this->security->xss_clean($this->input->post('txtHLnk'));
$hlt_hlines = $this->security->xss_clean($this->input->post('txtAreaHLine'));
When i enter simple/plain string in the textboxes, then the data gets saved in the DB, however when i enter url in the textboxes, the data is not saved in DB, neither does it show any error message.
Please explain with code whats i am doing wrong. Thanks
$hlt_url = $this->input->post('txtHLnk', true);
$hlt_hlines = $this->input->post('txtAreaHLine', true);
I thin kthis is the new implementation of sanitizing inputs in latest version.
Related
I've a form set up using Zend Framework 2 with an element type 'DateTimeLocal'
When I add a new record using the form all works well.
When I edit a record the form appears to fill out correctly: I've formatted the data to pass to the form using:
$this->startDate = (!empty($data['startDate'])) ? date("Y-m-d\TH:i:s",strtotime($data['startDate'])) : null;
and in the view add using:
echo $this->formRow($form->get('startDate'));
However when I go to submit the form having made edits, I get the message 'The input does not appear to be a valid date'. Using the chrome I re-enter the date, and it appears identical to what was pre-filled, but then submits fine.
html source rendered by zendframework is:
<label><span>Start Date</span><input type="datetime" name="startDate" value="2014-12-21T00:00:00"></label>
I'd have thought this was a common action but seam to be struggling to find examples.
I am not totally sure and a bit surprised by this issue. But the value 2014-12-21T00:00:00 seems to be an html encoded version of 2014-12-21T00:00:00 and it might be that submitting this is resulting in an invalid response.
I don't know exactly how this value got there, but you should try to get a not encoded value set for startDate, then your form might work as expected.
I eventually stumbled across https://stackoverflow.com/a/32003481/1836257
My date format was incorrect. I should have used
$this->startDate = (!empty($data['startDate'])) ? date("Y-m-d\TH:i",strtotime($data['startDate'])) : null;
I have a textarea in my front-end which accepts the google map code which is an iframe. When I tried to update it, the query fails. The values is not getting inserted into the database. I use text for saving iframe in db. The code I use in model :
function save(){
$data['cmpny_address'] = $this->input->post('cmpny_address');
$data['cmpny_map'] = $this->input->post('cmpny_map');
$this->db->where('id',1);
$this->db->update('contact_us', $data);
}
I have tried sanitizing the input with htmlspecialchars, strip_tags, $this->db->escape etc. I have actually tried all the suggestions from related SO questions. But no luck. Somebody please suggest a way to fix the issue.
EDIT:
It is the <iframe></iframe> that is creating the problem. <p></p> , <h1></h1> gets through without any error.
(Posted on behalf of the OP).
It was a server issue. The support team said "modsecurity was blocking it".
No need to write any htmlspecialcharsand strip_tags Active record automatically handle all those thing.
Use set method to update your data
function save(){
$this->db->set("cmpny_address", $this->input->post('cmpny_address'));
$this->db->set("cmpny_map", $this->input->post('cmpny_map'));
$this->db->where('id',1);
$this->db->update('contact_us');
}
OR
create you data array like
$data=array('cmpny_address'=>$this->input->post('cmpny_address'),'cmpny_map'=>$this->input->post('cmpny_map'));
$this->db->where('id',1);
$this->db->update('contact_us', $data);
UPDATED
To send iframe into post you have to set
$config['global_xss_filtering'] = FALSE;
In your config.php file
I have a custom behavior, specified in AppModel.php, that automatically creates a field based on the selected language. Thus, depending on the chosen language, name_eng -> name or name_fra -> name.
...
$virtualField = sprintf($model->name.'.'.$name.'_%s', Configure::read('Config.language'));
$virtualFields[$name] = $virtualField;
$model->virtualFields = $virtualFields;
...
This part works.
The issue arises when I submit the edit form, get a validation error and the field isn't available when the edit view is displayed with error prompts. I believe this is due to either my behavior not being called in this process or $this->request->data being created using form data?
I figured that I would initialize the values using beforeValidate. However, it's not working out: the field still doesn't exist once I've submitted the form which gives me this error:
In AppModel.php:
function beforeValidate(array $options = array()){
//hard coded for test purposes
$this->data['CertificateType']['name'] = $this->data['CertificateType']['name_'.Configure::read('Config.language')]
return true;
}
In the view (edit.ctp):
echo $this->request->data['CertificateType']['name'];
Essentially, how can I replicate the functionality of my custom behavior and initialize my field after a form has been submitted but doesn't validate?
The needed logic was eventually put in AppController.php. Everything works fine now.
I'm using CKeditor but I'm not working out how to create the php file that stores editing textareas in MySql DB.
I'm quite newbie in php/mysql..
javascript code of CKeditor calls is:
$(’#my_div’).ckeip({
e_url: ’test.php’,
data: {
example_var : ’example_value’,
example_var2 : ’example_value2’
}
)};
What I have to write in test.php to making it store data of ckeditor in MySql?
Should I create a new table in database first ?
thanks a lot
I think the best way to handle this is create a new MYSQL table with two columns. One as an id for the textarea and then the other column to store the text. For a basic tutorial about MYSQL and PHP check out W3School http://www.w3schools.com/PHP/php_mysql_intro.asp
I am a newbie to CKEditor, too. But it seems like it would be quite easy once you get the data from the editor into a javascript variable, like:
var editorData = $('my_div').ckeditorGet().getData();
You can then put editorData into a hidden input field and then submit it to the PHP file that you're going to create. On that PHP file you would take it with something like:
$theData = $_GET["name_of_the_hidden_input_field"];
//here comes the PHP code for inserting $theData into mysql
I have a simple form with a select menu on the node display page. Is there an easy way to validate the form in my callback function? By validation I don't mean anything advanced, just to check that the values actually existed in the form array. For example, without ajax, if my select menu has 3 items and I add a 4th item and try to submit the form, drupal will give an error saying something similar to "an illegal choice was made, please contact the admin."
With ajax this 4th item you created would get saved into the database. So do I have to write validation like
if ($select_item > 0 && $select_item <= 3) {
//insert into db
}
Or is there an easier way that will check that the item actually existed in the form array? I'm hoping there is since without ajax, drupal will not submit the form if it was manipulated. Thanks.
EDIT:
So I basically need this in my callback function?
$form_state = array('storage' => NULL, 'submitted' => FALSE);
$form_build_id = $_POST['form_build_id'];
$form = form_get_cache($form_build_id, $form_state);
$args = $form['#parameters'];
$form_id = array_shift($args);
$form_state['post'] = $form['#post'] = $_POST;
$form['#programmed'] = $form['#redirect'] = FALSE;
drupal_process_form($form_id, $form, $form_state);
To get $_POST['form_build_id'], I sent it as a data param, is that right? Where I use form_get_cache, looks like there is no data. Kind of lost now.
Since you're already using AJAX, why not just write a bit of jQuery to only allow form submission if the choice is within the list of legal choices? This can be done within the custom module it already looks like you're working on (using drupal_add_js()).
It is not especially 'easy', but the standard way to do it would be to use Drupals Forms API for the callback submission as well - that way, you'll get the same validation that would happen on a non js submit.
Take a look at Adding dynamic form elements using AHAH. While it does not match your scenario exactly (they rebuild the form on the callback to add new elements, not to save data), the explanation of the processing workflow is pretty helpful.
Then there are several modules that try to offer AJAX form submission in a generic way - you could check their code on how to do it (or maybe just use them ;)
Ajax submit (only has a dev version)
Ajax (has an 'official' release)
Finally, there are efforts to put better support this functionality into core in Drupal 7 - the related discussions might also help.