10 replies to this topic

[onjegolders]

I'm running into a problem with my registration form, I'm trying to run an if statement if a username is already taken.
The code I was trying was:

elseif (in_array($input->post->signup_name, $users)) {
$output = "<h6 class='error'>Unfortunately that username is taken, please try another.</h6>";
}

Either there is a problem with my if statement (can $users be used as an array in this way?) or PW is finding the duplicate before my check even takes place as when submitting the form I get the following error:

"Error exception: Duplicate entry"

Would appreciate it if anyone has run into similar problems. Thanks!

[diogo]

Like that you are comparing an object with a string.
maybe this will work

elseif($users->get("name=$input->post->signup_name")) //returns null if not found, so it should work for the condition

I can't test it right now, but hope it helps

[onjegolders]

Thanks for replying Diogo, unfortunately that doesn't seem to work, it return the following error:

Recoverable Fatal Error Object of class WireInputData could not be converted to string

My PHP is unfortunately not that advanced, is this even the right way to be going about this? I'd just like to add an error message if the username is already taken.

[onjegolders]

Think by compiling various other posts, I have a solution, though not sure if it's the one others would take?

At the top of my page:

$username = $input->post->signup_name;
$check = wire('users')->find("name=$username");

And within my if statements

elseif (count($check)) {
$output = "<h6 class='error'>Unfortunately that username is taken, please try another.</h6>";
}

[diogo]

Nice, looks like a good solution.
But wire('users') here is not different $users. You can make it smaller like this if you prefer

$username = $input->post->signup_name;

elseif (count($users->find("name=$username"))) {
$output = "<h6 class='error'>Unfortunately that username is taken, please try another.</h6>";
}

[onjegolders]

That's great thanks Diogo!

Any ideas why you can't access

$input from within the $users->find("name=$input->post->signup_name"); ?

[diogo]

It's true, it doesn't work. I tested it with a urlSegment and it did work:

elseif (count($users->find("name=$input->urlSegment1")))

Anyway, for sure you will want to sanitize that data, and use it somewhere else on the code. So, I think the best is using the variable instead of calling it directly.

[ryan]

Make sure you do this before putting $username in your selector:

$name = $sanitizer->pageName($input->post->signup_name);
$u = $users->find("name=$name");  

Thanks for replying Diogo, unfortunately that doesn't seem to work, it return the following error:

While you don't want to have that directly in your selector either way (since it would be unsanitized), I just wanted to add that when you are dereferencing object properties in a string, it's best to surround the statement with {}, like: "{$input->post->signup_name}"; and that should solve the problem.

[onjegolders]

Make sure you do this before putting $username in your selector:

$name = $sanitizer->pageName($input->post->signup_name);
$u = $users->find("name=$name");  

While you don't want to have that directly in your selector either way (since it would be unsanitized), I just wanted to add that when you are dereferencing object properties in a string, it's best to surround the statement with {}, like: "{$input->post->signup_name}"; and that should solve the problem.

Thanks Ryan, this if statement is just to check whether there is an error.
I use sanitizer further on before actually adding the new user. Would I still need to sanitize even if it's just an error check? (Can post entire code if that's unclear)

[ryan]

Yes, always sanitize anything that gets sent to any API call. If you don't, then anyone can inject anything into that selector just by specifying it in your signup_name field. While I can't think of a major problem that could occur with that in your example, it's best to prevent any injection situation. The stakes may be higher in another situation. That's because selectors are designed for your use, not the users. API calls run as superuser, so it's feasible that in some scenario a hacker could exploit an unsanitized selector. You can't modify data with a selector, so it's not at the same level of concern as something like SQL injection, but still a good idea to sanitize anything getting sent to any API call. Except for $sanitizer API calls of course.

[onjegolders]

Yes, always sanitize anything that gets sent to any API call. If you don't, then anyone can inject anything into that selector just by specifying it in your signup_name field. While I can't think of a major problem that could occur with that in your example, it's best to prevent any injection situation. The stakes may be higher in another situation. That's because selectors are designed for your use, not the users. API calls run as superuser, so it's feasible that in some scenario a hacker could exploit an unsanitized selector. You can't modify data with a selector, so it's not at the same level of concern as something like SQL injection, but still a good idea to sanitize anything getting sent to any API call. Except for $sanitizer API calls of course.

Thanks Ryan, will bear that in mind!