I am new to PHP and I have a lots of forms in PHP. The forms make use of the standard HTML Input fields and need to be validated on the serverside. How can I implement this, so that I do not have to write lots of boilerplate HTML over and over again, rather only write the minimal amount of code that generate the "full forms". What is the recommended approach to implement this? Thanks.
If you prefer to do it all yourself, you should at least do it PHP-Classes which will save you from re-writing (if done right ;-)). Handle attributes of the fields through an assoc array, e.g. like this:
<?php
$form = new Form("MyInput", array ("submit" => "myform.php") );
$form->AddField("input_text", array ("label" => "Your name") );
?>
To handle validation, you could use attributes such as
$form->AddField("input_text", array (
"label" => "Your name" ,
"validate" => "required"
) );
(Only examples, there's a lot of code releated to this which you'd need to write once...)
That should be useful for learning purposes...
Next, you could use JS to validate. Pls. note that JS does client-side validation only and you cannot rely on it being executed (user might have turned of JS in his browser), so you still MUST validate in PHP when receiving the data. (And you could use JS-Libraries for that - I've used Parsley and was quite happy with it...)
If you want to skip that experience, use Frameworks or Templating Engines.
I would suggest to create a form template. Consider using a method (of class View):
private static function capture($view_filename, array $view_data)
{
extract($view_data, EXTR_SKIP);
ob_start();
require $view_filename;
return ob_get_clean();
}
And call the static function capture (caution: consider using of __toString() to print objects) Pseudo-code:
echo View::capture('template', array('id' => '1', 'class' => 'userForm', 'inputs' => array(0 => array('label' => 'Name', 'type' => 'text'), 1 => array('label' => 'Password', 'type' => 'password')));
Related
I am using Laravel 5.4. I have a form where I take some inputs from user. The form variables are directly inserted into database. I want to make sure the sure does not enter anything that could harm the database. I have heard of something SQL Injection but I don't know much about it.
This is my function.
public function insert_data(Request $request)
{
$company_details_data = ['job_id' => $maxID,
'company_id' => $company_id,
'job_title' => ucwords($request>input('job_title')),
'vacancy_no' => $request->input('vacancy_no'),
'category_id' => $request->input('category_id'),
'job_type_id' => $request->input('job_type_id'),
'city_id' => $request->input('city_id'),
'travel_required' => $request->input('travel_required'),
'other_locations' => ucwords($request->input('other_locations')),
'no_vacancy' => $request->input('no_vacancy'),
'job_salary' => $request->input('job_salary'),
'date_expiry' => $request->input('date_expiry'),
'job_details' => $request->input('job_details'),
'date_posted' => date('Y-m-d'),
'qualification_required' => $request->input('qualification_required'),
'experience_required' => $request->input('experience_required'),
'skills_required' => $request->input('skills_required'),
'apply_guidance' => $request->input('apply_guidance'),
'duty_responsibilities' => $request->input('duty_responsibilities')
];
General_model::createrecord($company_details_data,'job_details');
}
This is the createrecord() function in my model:
public static function createrecord($data,$tbl)
{
return DB::table($tbl)->insert($data);
}
I want to use htmlspecialchars here but I am using a rich texteditor in my form. If I use htmlspecialchars it will also change the unharmful tags like ,< p >, < br >,etc. Please Help
Without being able to see the methods on your model that take this data and actually push them into the DB its difficult to tell.
Ideally you'd want to sanitize your data prior to handing it to any class. Also you'd want to make sure your models if not already using an existing ORM were using something akin to PDO for your database interactions.
See the answers to the following question as to what sanitizing a request for the DB actually entails.
EDIT:
As others have pointed out, it most likely makes more sense here to use an ORM like Eloquent in laravel that handles a lot of this for you.
What's the best method for sanitizing user input with PHP?
I was going through Form Creation in ZF2 and I read the following statement.
"
You can create the entire form, and input filter, using the Factory. This is particularly nice if you want to store your forms as pure configuration; you can simply pass the configuration to the factory and be done."
Can anybody tell in detail what does PURE CONFIGURATION mean?
It means that you're able to store your forms within any config file, e.g. module.config.php and then pass this configuration key into the form factory. This is similar what has been done in ZF1 often times, too.
This whole process is done through the Zend\Form\Factory and if you check out the source code you'll see that you could pass it the following array to create a Form
$someConfig = array(
'form-key-name' => array(
'fieldsets' => array(
'fieldset_1' => array(
'elements' => array(
'elem_x' => array(/** Single Form-Element Array*/)
),
'fieldsets' => array(
'fs_y' => array(/** More Sub-Fieldset Array*/)
),
)
)
)
);
Note that this example is quite incomplete (missing name => foo), hydrator configuration, inputFilter configuration, etc... but as it is this should give you a idea of what's meant by that statement.
Using the above-mentioned configuration then you can pass it to the factory
$factory = new \Zend\Form\Factory();
$form = $factory->createForm($someConfig['form-key-name']);
I am writing an app that allows users to modify and change some of their site settings. I am just constructing a form generator that will send various options to variuous plugins to generate the code what I am wondering is whether I should be using objects for this rather than multidimensional arrays? If so how would I change my code?
So right now I have made this- its very long and going to get longer so I have only pasted part of it for the sake of brevity:-
$scopeSettings = array(
'site_background' => array(
'subpanels' => array(
'colour' => array(
'plugins' => array(
'colourchooser' => array(
'tip' => "The background colour appears underneath the 'Background Image' (if set)-hover over the '?' around the colour chooser for extra tips on how to use it",
'element' => 'body',
'gradientenabled' => 'true',
'opts' => array (
'closed' => 'true',
'advanced' => array(
'tip' => "You can paste in your own generated gradient codes in here",
'checkbox' => true
)//end advanced
)//end Opts
)//end colour chooser
)//end plugins
),//end colour sub panel
'pattern' => array(
'plugins' => array(
'patternselector' => array(
'tip' => "Use the pattern selector to apply effects like moire or scan lines to your background image",
'element' => 'patimg'
)//end patternselector
)//end plugins
),//end pattern sub panel
)//end subpanels
)//end site background
);//end scope settings
What would be best practice with this sort of thing?
Maybe this is a stupidity, but you can use "YAML" or "JSON" as configuration format for an application no?
As for example Symfony or other framework.
My advise: try YAML or XML or JSON to get a more readable config file, then parse it back to an array in your own code.
I would store the settings in <insert your markup language of choice> (XML, JSON, YAML, etc.).
You can then cache these in a $_SESSION variable, and populate it when you bootstrap if they don't already exist:
session_start();
if (!isset($_SESSION['settings'])) {
// Assuming you choose JSON...
$settings = json_decode(file_get_contents('settings.json'), TRUE);
$_SESSION['settings'] = $settings; // array
$_SESSION['settings'] = (object)$settings; // object
}
Whether or not you use an array or object then becomes just a matter of what access syntax you prefer:
$_SESSION['settings']['site_background']['subpanels']['colour']...
// vs.
$_SESSION['settings']->site_background->subpanels->colour...
I would say that some like Array Oriented Programmation and that, with PHP 5.4 they can express themselves in a great way.
However, more people are used to OOP -so do I- and It can be a more readable way to code your solution.
I think in this route I would go with a structured object oriented route. You can have a parent object, that holds all of the children objects (setting groups) and you can even retrieve on setting group as an object of its own. Each object will have its own definitions and properties which can be documented in the code that provides useful information within an IDE (if you use docblocks).
I would use objects. Assuming you are making a form, you should have several classes:
Form - to hold the form, will have a property $input_list (or $node_list to hold all of the inputs
Input - to describe a single input item, it should have properties like label, type, tip etc.
Fieldset - to describe a fieldset, to hold additional items inside. Like the Form class, it would have an $input_list to hold all of the inputs inside of it.
Those classes can stand alone, and can be extended to have customized common input types (for instance)
class Checkbox extends Input {
public $type = 'checkbox'
....
}
As other's people here also my opinion is to use YAML or JSON - using this it could be done in very simple way.
Just for instance an example of JSON format of Your data structure:
var settings = {
'site_background' : {
'subpanels' : {
'colour' : {
'plugins' : {
'colourchooser' : {
'tip' : "The background colour appears underneath the 'Background Image' (if set)-hover over the '?' around the colour chooser for extra tips on how to use it",
'element' : 'body',
'gradientenabled' : 'true',
'opts' : {
'closed' : 'true',
'advanced' : {
'tip' : "You can paste in your own generated gradient codes in here",
'checkbox' : true
}//end advanced
}//end Opts
}//end colour chooser
}//end plugins
},//end colour sub panel
'pattern' : {
'plugins' : {
'patternselector' : {
'tip' : "Use the pattern selector to apply effects like moire or scan lines to your background image",
'element' : 'patimg'
}//end patternselector
}//end plugins
}//end pattern sub panel
}//end subpanels
}//end site background
};//end scope
You can use PHP functions like json_encode and json_decode for JSON <-> PHP data transformation. Using curly braces means that the elements are objects while when replaced by [ and ] you got arrays...
But also a PHP OOP approach could be used succesfully especially when using extendability. You could have one main class Settings having some default properties and e.g. magic __get and __set functions and then You can implement many subsettings subclasses extending from this main Settings class.
I have recently begun working on a PHP/JS Form Class that will also include a SQL Form builder (eg. building simple forms from sql and auto inserts/updates).
I have tried several classes (zend_form, clonefish, PHP Form Builder Class, phorms etc) but as yet haven't come across a complete solution that is simple, customizable and complete (both server side and client side validation, covers all simple html elements and lots of dhtml elements: sorting, wysiwyg, mutli file upload, date picker, ajax validation etc)
My question is why do some "classes" implement elements via an array and others via proper OO class calls.
eg.
Clonefish (popular commercial php class):
$config = Array(
'username' => Array(
'type' => 'inputText',
'displayname' => 'Username',
validation => Array(
Array(
'type' => 'string',
'minimum' => 5,
'maximum' => 15,
),
),
));
$clonefish = new clonefish( 'loginform', 'test.php', 'POST' );
$clonefish->addElements( $config, $_POST );
Then others eg. Zend_Form
$form = new Zend_Form;
$username = new Zend_Form_Element_Text('username');
$username->addValidator(new Zend_Validate_Alnum());
$form->addElement($username);
I realise Zend_Form can pass elements in via an array similar to clonefish but why do this?
Is there any benefit? It seems to make things more complicated especially when using a proper IDE like Komodo.
Any thoughts would be appreciated as I dont want to get too far down the track and realize there was great benefit in using arrays to add elements (although this wouldn't be much of a task to add on).
Cheers
My question is why do some "classes" implement elements via an array and others via proper OO class calls.
For convenience. It's less verbose and it feels less like coding and more like configuration and you need less intimate knowledge of the API.
Btw, the reason you have not yet come across a complete solution that is simple, customizable and complete is because it is not simple. Forms, their validation and rendering is complex, especially if you want to have it customizable for any purpose. ZF's form components are a good example of how to properly decouple and separate all concerns to get the ultimate extensible form builder (including client side code through Zend_Dojo or ZendX_Jquery). But they are also a great example of the complexity required for this. Even with the convenient array configuration, it is damn difficult to make them bend to your will, especially if you need to depart from the default configuration and rendering.
Why to use objects? Becouase they are a much more complex types. Consider the following example (I never useed Zend_Form so I don't even know its architecture):
class MySuperAlnumValidator extends Zend_Validate_Alnum {
protected $forbiddenWords = array();
public function addForbiddenWord($word) {
$this->forbiddenWords[] = $word;
}
// Override Zend_Value_Alnum::validate() - I don't know whether such a method even exists
// but you know what's the point
public function validate() {
parent::validate();
if (in_array($this->value, $this->forbiddenWords) {
throw new Exception('Invalid value.');
}
return $this->value;
}
}
// -----------------------
$validator = new MySuperAlnumValidator();
$validator->addForbiddenWord('admin');
$validator->addForbiddenWord('administrator');
$username->addValidator($validator);
This is only a simple example but when you start writing more complex validators/form fields/etc. then objects are, in principle, the only meaningful tool.
How would I go about creating a real world form creation class that I can use to display a new form with fields of different types, as how many fields I want, I can use drop downs and I can do all of this by using OOP?
To be honest I wouldn't roll my own, considering there are a few mature form packages out there for PHP.
I use PEAR's HTML_QuickForm package (http://pear.php.net/manual/en/package.html.html-quickform.php) for PHP4 sites.
For PHP5, I'd have a look into Zend_Form (http://framework.zend.com/manual/en/zend.form.html).
For my quickform code, I use a helper class that lets me define forms using a config array. For example:
echo QuickFormHelper::renderFromConfig(array(
'name' => 'area_edit',
'elements' => array(
'area_id' => array('type' => 'hidden'),
'active' => array('type' => 'toggle'),
'site_name' => array('type' => 'text'),
'base_url' => array('type' => 'text'),
'email' => array('type' => 'text'),
'email_admin' => array('type' => 'text'),
'email_financial' => array('type' => 'text'),
'cron_enabled' => array('type' => 'toggle'),
'address' => array('type' => 'address'),
),
'groups' => array(
'Basic Details' => array('site_name', 'base_url'),
'Address Details' => array('address'),
'Misc Details' => array(), // SM: Display the rest with this heading.
),
'defaults' => $site,
'callback_on_success' => array(
'object' => $module,
'function' => 'saveSite',
),
));
Note that the above element types 'address' and 'toggle' are in fact multiple form fields (basically, meta-types). This is what I love about this helper class - I can define a standard group of fields with their rules (such as address, credit_card, etc) and they can be used on lots of pages in a consistent fashion.
You definitely can. Consider a Form class which stores information about the form itself: the method, action, enctype attributes. Also throw in stuff like an optional heading and/or description text at the top. Of course you will also need an array of input elements. These could probably be put into their own class (though subclassing them for InputText, InputCheckbox, InputRadio maybe be a bit over the top). Here's a vague skeleton design:
class Form {
var $attributes, // array, with keys ['method' => 'post', 'action' => 'mypage.php'...]
$heading,
$description,
$inputs // array of FormInput elements
;
function render() {
$output = "<form " . /* insert attributes here */ ">"
. "<h1>" . $this->heading . "</h1>"
. "<p>" . $this->description . "</p>"
;
// wrap your inputs in whatever output style you prefer:
// ordered list, table, etc.
foreach ($this->inputs as $input) {
$output .= $input->render();
}
$output .= "</form>";
return $output;
}
}
The FormInput class would just need to store the basics, such as type, name, value, label. If you wanted to get tricky then you could apply validation rules which would then be converted to Javascript when rendering.
I will go against other advice here and suggest that you build your own library to generate forms. If you fail, you will still learn a lot in the process.
The design process is most important here. You start from the top and ask yourself what goes on a form. At an abstract level, a form is full of elements. Some are visible, some are not, some can be entered by the user but others cannot, some elements can trigger other elements... and the list goes on...
Eventually you end up with elements that are "decorative" (Text, Headings, Separators, Fieldsets, Links, Images), elements that are interactive (Inputs, Dropdowns, Checkboxes, Radio buttons, Submit Buttons) and finally elements that are neither decorative nor interactive (Hidden Inputs, Anchors and elements that act as containers to group other elements.)
Once you have the different categories organised you start looking into features that all elements have and you can put that into the base element class. Then you go up the chain making your classes doing more and more, inheriting from other simpler element classes. In my library, the base element class is called form_element and each form_element has a unique name that no other element within the same form can have. A form_element also has a set of attributes. It has a function that all elements have called render(). In the base class render() does nothing (so a base element is always invisible) but in derived classes it starts producing HTML. By the way, I never make any of my classes create HTML. Instead I have a static class called html which writes HTML for all the classes that needs its services.
Very early in the chain of form elements, you should have one, a container that groups others. It should have an add() function and its render() function should consist of calling the render() function of all its sub-elements. the form class will be derived from this container class.
Spend plenty of time on the design. Pay attention to compatibility with the rest of your library.
If you want the data from the form to come from a database and be saved to one, you will need to add this functionality and have a form element class linked to a table and column. Here too, I have a separate DB class that can retrieve/save the data. I have a query class that creates queries. Form elements should have nothing to do with creating HTML, creating queries or accessing a database. My static class DB and my query class take care of the dirty work. The form class should only be involved with form stuff. The form class collects into an array all the tables and columns for the fields that need to be saved and pas it to the query class which creates the query which is then passed to the DB class which executes it.
Once you are properly setup, what appears to be horrendously complicated suddenly becomes very easy with properly designed classes.
Because you have a class that can write HTML, your form class needs to just html::init() and follow it with render() and the entire HTML code for the form is available within the html buffer. html::output() flushes everything out.
Validation is also handled externally with a static validation class. Form elements that can be validated hold validation instructions within an array in a format that can be passed directly to the validation class. Each element that needs to be validated is bound to an error element which displays the error if the element does not validate or remains invisible if all goes well.
This is to show you that when you design a form environment (or anything else) you really need to consider absolutely everything before you get started. The work that you put into it may not immediately translate into code that can power your application but it will sure make you a much better developer, thus making your future projects much easier to handle.
The form class creates a form, the html class creates the HTML, the query class makes queries and the DB class handles the database. If your classes start doing work that should be done by separate classes, you have a design problem.
Here is a code sample to show how my form library works:
$fm = new form('myform');
$fm->binding(FORM_DATABASE);
$fm->state(FORM_RETRIEVE);
$fm->set_recno(1);
$fm->add(new form_heading("My form"));
$fm->add($el=new form_input("name",40));
$el->bind_data('mytable','mycolumn');
$el->set_attribute('size', 25);
$el->set_default('Name');
$fm->add($el=new form_submit("submit_btn","Submit"));
if($fm->manage())
{
redirect or do something else here. The interaction with the form is done. The initial state for the form was FORM_RETRIEVE. If it had been FORM_NEW it would have displayed default values instead of the retrieved record and saved the form as a new record in the table.
}
Note that the manage() function of the form takes care of absolutely everything, retrieving data from the database, rendering the form into the view, validating data and saving it back to the database.
One of the advantages of creating forms programmatically (as above) is the option to write your own form-based code generator to create the code to make your forms.
I hope this can help you or someone else.
Just for reference, Object Oriented Forms by Khurram Khan is an excellent OO forms implementation for PHP.
Here is a sample of what the code looks like:
$form = new Form("Register", "form.php");
$personal = new Block("Personal Information");
$name = new Text("name", "Your name");
$name->setDescription("this is my description");
$name->addValidator(new MaxLengthValidator("The name you have entered is too long", 30));
...
Another more popular implementation is PHPlib. However, I find this to be a bit clunky; it seems like it's just some standard functional programming wrapped in a class.
Another option would be writing an abstraction for the built in DOM library. This will allow you to manually create any kind of form and form element using OO notation, with the added benefit that you will be returned an OO DOM instance that can be used elsewhere in your program.
You definitely should use OO PHP to do forms, and all the rest of your HTML output. I could not find any PHP library (many of the links in these answers are dead) to do what I wanted, so I wrote PHPFUI. It is not a generic HMTL output library, but outputs pages for the Foundation CSS Framework. You could easily use the same technique to output a more vanilla page, or Bootstrap or what ever. I did not want to write a generic HTML OO PHP library, as I wanted something lean and mean for performance reasons. Also I don't like to over engineer stuff, so it is hard coded to Foundation. But the same principles would apply to any PHP library that would want to output clean HTML with no validation issues, which you often find in hand written HTML.