I wonder what is the best and the most secured way of handling user's input in Codeigniter. Basically I have form for user's profile made by form helper like this:
echo form_open();
echo form_label($this->lang->line('user_update_profile_first_name'), 'first_name');
echo form_input(array('type' => 'text', 'name' => 'first_name', 'id' => 'first_name', 'maxlength' => '255', 'required' => 'true', 'value' => set_value('first_name', $user_profile['first_name'], false)));
echo form_label($this->lang->line('user_update_profile_last_name'), 'last_name');
echo form_input(array('type' => 'text', 'name' => 'last_name', 'id' => 'last_name', 'maxlength' => '255', 'required' => 'true', 'value' => set_value('last_name', $user_profile['last_name'], false)));
echo form_label($this->lang->line('user_update_profile_birth_date'), 'birth_date');
echo form_input(array('type' => 'text', 'name' => 'birth_date', 'id' => 'birth_date', 'maxlength' => '255', 'required' => 'true', 'value' => set_value('birth_date', $user_profile['birth_date'],
echo form_submit(array('value' => $this->lang->line('user_update_profile_form_submit'), 'name' => 'submit', 'class' => 'btn btn-primary'));
echo form_close();
As you can see in my code I am skipping xss filtering provided in set_value function due to xss filtering is done in form_input() already.
My Controller function for inserting data in DB looks like this
$validation_rules = array(
array(
'field' => 'first_name',
'label' => $this->lang->line('user_update_profile_validation_error_first_name'),
'rules' => 'required|trim|max_length[255]'
),
array(
'field' => 'last_name',
'label' => $this->lang->line('user_update_profile_validation_error_last_name'),
'rules' => 'required|trim|max_length[255]'
),
array(
'field' => 'birth_date',
'label' => $this->lang->line('user_update_profile_validation_error_birth_date'),
'rules' => 'required|trim|max_length[255]'
)
);
$this->form_validation->set_rules($validation_rules);
if($this->form_validation->run()) {
$user_data = array(
'user_id' => $this->profile_data->user_id,
'first_name' => $this->input->post('first_name', TRUE),
'last_name' => $this->input->post('last_name', TRUE),
'birth_date' => date('Y-m-d',strtotime($this->input->post('birth_date', TRUE)))
);
if($this->user_model->update_user_profile($user_data)) {
$view_data['success'] = TRUE;
$new_site_language = $this->language_model->getLanguageFolderById($user_data['site_language']);
$this->lang->load('application/user_lang', $new_site_language);
} else {
$view_data['server_error'] = TRUE;
}
}
I am filtering here data from user by provided $this->input->post('', true) xss filter. In model I am inserting data to DB by active record class. I am just wondering if this is the right and secure way of handling users input if there is not needed something like htmlspecialchars() . But what happens when someone have some "special" chars in name like for example Someone O'Sombody or some names from foreign countries? I am also showing data in navbar using html_escape($this->profile_data->first_name) to prevent running users potentially dangerous code. Did I get this whole "security thing" in the right way or there should be something changed because of potential danger?
Related
I'm using codeigniter 3, and I'm trying to use the form_validation library.
Basically, if validation fails, I'm catching the input data and then sending it back to the form.
So I'm sticking all form data in an array, like so:
// add input data to array
$org_data = array(
'org_id' => $this->input->post('org_id'),
'p_org_id' => $this->input->post('p_org_id'),
'account_ref' => $this->input->post('account_ref'),
'org_name' => $this->input->post('org_name'),
'address1' => $this->input->post('address1'),
'address2' => $this->input->post('address2'),
'address3' => $this->input->post('address3'),
'town' => $this->input->post('town'),
'county' => $this->input->post('county'),
'pcode' => $this->input->post('pcode'),
'phone' => $this->input->post('phone'),
'support_email' => $this->input->post('support_email'),
'notify_return' => $this->input->post('notify_return'),
'notify_email' => $this->input->post('notify_email'),
'email_interval' => $this->input->post('email_interval'),
'renewal_date' => $this->input->post('renewal_date'),
'login_reminder' => $this->input->post('login_reminder'),
'default_fireaware' => $this->input->post('default_fireaware'),
'open_training_url' => $this->input->post('open_training_url'),
);
All fine!
Now, to send the data back to the form, I am using the below.
$this->data['org_id'] = array(
'name' => 'org_id',
'id' => 'org_id',
'type' => 'text',
'value' => $this->form_validation->set_value('org_id'),
);
BUT
I don't want to create one of these for every input, so ideally I'd like to use a loop to create these. But I cant get it to work, I am getting undefined variable errors.
This is the loop in progress:
foreach($org_data as $key => $value){
$this->data['$key'] = array(
'name' => '$key',
'id' => '$key',
'type' => 'text',
'value' => $this->form_validation->set_value('$value'),
);
}
Can I use a loop to do this?
What are your thoughts?
use validation like this
$config = array(
array(
'field' => 'username',
'label' => 'Username',
'rules' => 'required'
),
array(
'field' => 'password',
'label' => 'Password',
'rules' => 'required'
),
array(
'field' => 'passconf',
'label' => 'Password Confirmation',
'rules' => 'required'
),
array(
'field' => 'email',
'label' => 'Email',
'rules' => 'required'
)
);
$this->form_validation->set_rules($config);
if ($this->form_validation->run() == FALSE) {
$data['errors'] = validation_errors();
$this->load->view('yourview', $data);
} else {
$userData = $this->input->post();
$this->load->view('yourview', $data);
}
Basically, if validation fails, I'm catching the input data and then
sending it back to the form.
yeah i think this is the part to clarify - you don't need to do that at all -- thats the advantage of using set_value('fieldName'), it automatically echoes out the value. Same - on the form - with form_error( 'fieldName' ) it will display the field specific error message.
I'm following along with the Zend Framework 2.0 by example, and working on the Forms chapter now. Everything seems to be working fine, except that my 'password' and 'confirm password' fields don't seem to be rendering correctly. Here is an excerpt of my RegisterForm.php file where I am defining the password field
class RegisterForm extends Form
{
public function __construct($name = null)
{
parent::__construct('Register');
$this->setAttribute('method', 'post');
$this->setAttribute('enctype', 'multipart/form-data');
...
$this->add(array(
'name' => 'password',
'attributes' => array(
'type' => 'password',
),
'options' => array(
'label' => 'Password',
),
'attributes' => array(
'required' => 'required'
),
'filters' => array(
array('name' => 'StringTrim'),
),
));
but when it is rendered in the browser, I am getting this when I view the page source...
<dd><input name="password" required="required" type="text" value=""></dd>
I'm quite sure I've got the code down from the book correctly, but I'm not sure if there's another step where I'm accidentally overriding the RegisterForm.php file.
why are you overriding your attributes? It should be:
$this->add(array(
'name' => 'password',
'options' => array(
'label' => 'Password',
),
'attributes' => array(
'type' => 'password',
'required' => 'required'
),
'filters' => array(
array('name' => 'StringTrim'),
),
));
'attributes' => array(
'type' => 'password',
),
// ...
'attributes' => array(
'required' => 'required'
),
Think a second...
So I have an PHP file that includes a form so that users can post jobs on my website. I want to make some fields of this form ReadOnly to the user. How?
public static function init_fields() {
if ( self::$fields )
return;
self::$fields = apply_filters( 'submit_job_form_fields', array(
'job' => array(
'job_category' => array(
'label' => __( 'Job category', 'job_manager' ),
'type' => 'select',
'required' => true,
'options' => self::job_categories(),
'placeholder' => '',
'priority' => 3
),
'job_description' => array(
'label' => __( 'Description', 'job_manager' ),
'type' => 'text',
'required' => true,
'placeholder' => '',
'priority' => 4
),
I know this is probably easy to do, but for some reason I can't find how to do it.
Use the disabled attribute:
'job_description' => array(
'label' => __( 'Description', 'job_manager' ),
'type' => 'text',
'required' => true,
'placeholder' => '',
'priority' => 4,
'disabled' => 'true' //html disabled input
)
This is a proprietary config file. You need to look at the code that is parsing it and converting to HTML. It may allow passing through variables like readonly, or may not.
Try passing 'readonly' => true in your array.
Remember that someone can change the value of the readonly field using an inspector like Firebug, Chrome Developer Tools, etc.
I just created a form in cakephp and I would like to do a validation for one of the field.
The form will only be submitted if this particular field is left empty.
Here's a my particular field
<?php echo
$this->Form->input('MyForm.fieldA', array(
'type' => 'text',
'label' => '',
'class' => 'span3 detector-form',
))
?>
And my validation code:
public $validate = array(
'fieldA' => array(
'rule' => 'blank',
'on' => 'submit',
'message' => 'Failed authorize',
'last' => true
),
);
P/s. I tried using
public $validate = array(
'fieldA' => array(
'rule' => 'blank',
'on' => 'create',
'message' => 'Failed authorize',
'last' => true
),
);
But the 'create' sounds like only worked when the field is created.So I changed to 'submit' for a testing purpose.
I tried to use rule''=> 'Empty' as well but the validation doesn't work. Or is there any other alternative rules that I can use to reach this goal?
I have a few different contact forms in my CakePHP 2.0 application. All of the contact forms are emailing as they should, but I need this particular one to also save the form results to the database. The post data is populating, and I can print_r() and pr() the form data. I can even email the post data. However, it is not actually saving the data to the model table. The database table is named contacts and has the following fields: id, publication, company, name, email, phone, message, contact_method, selections, received.
Here is my model:
class Contact extends AppModel {
public $name = 'Contact';
public $useTable = 'contacts';
public $validate = array(
'name' => array(
'rule' => 'notEmpty'
),
'email' => array(
'rule' => 'notEmpty'
)
);
Here is my controller:
App::uses('CakeEmail', 'Network/Email');
class ContactsController extends AppController
{
public $name = 'Contacts';
public $helpers = array('Html', 'Form', 'Js');
public $components = array('Email', 'Session');
...
public function contact_att() {
if ($this->request->is('post')) {
//pr($this->data);
if ($this->Contact->save($this->request->data)) {
$this->redirect('/pages/publications-alabama-turf-times');
$this->Session->setFlash("Mesage Saved!");
}
else {
print_r($this->data);
Configure::write('debug', 2);
debug($this->Contact->validationErrors);
exit;
}
}
Here is the form in my view:
echo $this->Form->create('Contact', array(
'action' => 'contact_att',
'label' => '',
'class' => 'pubs'));
echo $this->Form->input('publication', array(
'type' => 'hidden',
'value' => 'A',
'label' => ''));
echo $this->Form->input('company', array(
'default' => 'company name (required)',
'onfocus' => 'clearDefault(this)',
'label' => array(
'text' => 'Company Name',
'style' => 'position:absolute;')));
echo $this->Form->input('name', array(
'default' => 'name (required)',
'onfocus' => 'clearDefault(this)',
'label' => array(
'text' => 'Your Name',
'style' => 'position:absolute;')));
echo $this->Form->input('phone', array(
'default' => 'phone number (required)',
'onfocus' => 'clearDefault(this)',
'label' => array(
'text' => 'Your Phone Number',
'style' => 'position:absolute;')));
echo $this->Form->input('email', array(
'default' => 'email (required)',
'onfocus' => 'clearDefault(this)',
'label' => array(
'text' => 'Your Email Address',
'style' => 'position:absolute;')));
echo $this->Form->input('message', array(
'label' => array(
'text' => 'Your Message',
'style' => 'position:absolute;')));
echo $this->Form->input('contact_method', array(
'type' => 'radio',
'style' => 'padding-right:20px;',
'legend' => 'Preferred contact method:',
'options' => array(
'phone' => 'phone',
'email' => 'email'
)
));
echo $this->Form->input('selections', array(
'type' => 'select',
'label' => array(
'text' => 'I am interested in the following:',
'style' => 'display:block; width:250px; margin-left:-12px;padding-bottom:15px;'),
'multiple' => 'checkbox',
'options' => array(
'ABC' => 'ABC',
'DEF' => 'DEF',
'GHI' => 'GHI'
)
));
echo $this->Form->end('Submit');
What am I missing?
After much banging my head on the desk, the answer turned out to be simple -- of course. I simply removed this line from my model. I thought that having it set to the correct table would be fine, but turns out, it needed to be removed:
public $useTable = 'contacts';
You can try with this:
$this->Contact->save($this->request->data, false);
Try with:
debug($this->model->invalidFields());
sometimes, model have errors on validations, and not shows with validationErrors()
also note this..
If $fieldList is not supplied, a malicious user can add additional fields to the form data (if you are not using SecurityComponent), and by this change fields that were not originally intended to be changed.
http://book.cakephp.org/2.0/en/models/saving-your-data.html
take some time and read this documentation is very important, I hope have helped you.
Friend, I see your problem, check..
This line is missing in your controller
public $uses = array('Contact');
put and try, then you told me...
Is post will only return true when the form sets the posted hidden flag. So try this instead.
if(!empty($this->request->data))
Pls add this line
$this->Contact->create();
before you tried to save using
if ($this->Contact->save($this->request->data)) {