Leaderboard

Sorry if I'm making this even more confusing, but it's really not that difficult, once you grasp the general concept: Consider all data coming from the user dirty. In PW anything that comes from $input. It has to be sanitised and it's always better to be too strict than too lenient about it; don't worry about being overly cautious, that very rarely causes any issues while not being cautious enough.. well, that's another story entirely. Also, there's no such thing as "general sanitizing". It depends on what kind of values are valid in this specific use case. If possible, compare to an array of valid values, but if/when that's not feasible ... if you only want integers, typecast value to int first: $value = (int) $input->post->value; if you only want plain text, use $sanitizer->text(): $value = $sanitizer->text($input->post->value); if a sanitizer feature matching your use case exists, use that; if you want to check for valid page names, use $sanitizer->pageName(), and if you want to check for valid emails then use $sanitizer->email() etc. if you're inserting user data in HTML, make sure it doesn't contain anything that could break the markup: <input type="text" value="<?php echo $sanitizer->entities($input->get->value); ?>" /> to convert all applicable characters to entities (such as " => ") or at least <input type="text" value="<?php echo str_replace('"', '', $input->get->value); ?> /> to remove double quotes, which would obviously cause problems here etc. If you're still worried that you don't know enough of this, try Google; there's a lot of various tutorials about the subjects of validating, filtering, escaping and encoding data (the terms are related but have slightly different meanings, by the way). This Smashing Magazine article, for an example, explains the basics pretty well. Another resource I'd highly recommend is SlideShare presentation from Chris Shiflett, "Evolution of Web Security". The scope of this is much wider than just sanitizing user data, but that's all stuff that any decent web developers should be aware of anyway, so it definitely won't hurt you

Hi Pravin There's a manual way: https://processwire.com/talk/topic/3987-cmscritic-development-case-study/ Or a new converter - install this: https://github.com/adrianbj/ProcessMigrator then this: https://github.com/NicoKnoll/MigratorWordpress and follow the instructions on the second link there The topic discussing the migrator is roughly here: https://processwire.com/talk/topic/4420-page-list-migrator/page-6

Hi mosravo, different to Wordpress and others, ProcessWire has no "theme as a package" logic. Its philosophy is to provide a content framework and an easy API, where a clean WordPress install confronts you both with a certain content logic (pages vs. articles) and a certain theme installed (and the call to action to download/try more themes). So, if you discover certain projects and sites being realized with PW, the chance of this being a theme (as in: free download provided somewhere) is close to zero. But still, these projects can serve as a showcase for what's possible with PW. Maybe lets compare it to a (fictional) lego product: one is already assembled on purchase and has 3 or 4 big chunks of lego bricks (and you still could go to nearly every single brick if you want to) - that would be WordPress. ProcessWire is more of a box of bricks of every possible form, preassembled if you want to ( = site profiles) but foremost provided with plans of possible outcomes ( = this forum, and the docs). But still, you have to "now your lego" to at least a small extent minimum.

<?php if ($page->check == 1) // 1 is checked, 0 is unchecked echo "some text"; echo $page->sometextfield; ?>

I have no need for the German language pack , but I am always so impressed about how quickly you are on these updates. I am sure lots of users are super appreciative!

new german updates for actual PW dev 2.4.4 (12 June 2014). Zip contains only updated/added files (in comparison to the default 2.4 lang pack). updated files: wire--templates-admin--default-php.json wire--modules--fieldtype--fieldtypepagetable-module.json wire--modules--system--systemupdater--systemupdater-module.json added files: wire--modules--process--processpagelister--processpagelister-module.json pw-lang-de-dev-update.zip

Roger, Am not sure I follow? What do you mean by 'site guide companies'? Then again, am slow, it's hot outside and all I can think of is the world cup starting in a few hours

$pages->find("template=x, pagearrayfield=1234"); // where 1234 is the page ID // this will also work $wanted_page = $pages->get(1234); $pages->find("template=x, pagearrayfield=$wanted_page");

Since ProcessWire and its modules/plugins do not output any HTML by itself, you are completely free in how you wrap the data from the pages. This gives you as developer complete freedom how you present the data. You could use HTML, XML, or even just JSON. This is the reason why there are no themes for the front-end availabe.

Hi again, just as promised: I'm going to give you a glance at two additional features of PassiveCron. 1. Pro Cache Bypass Unlike LazyCron, which is executed parallel to page loads, PassiveCron will be able to execute tasks even while Pro Cache is turned on. So you are able to execute tasks while having great load performance thanks to Pro Cache. 2. No registration needed Unlike ProcessImageMinimize / minimize.pw, there is no need to sign up at our web service. As you install PassiveCron, it will automatically register itself anonymously at cron.pw and just work. In the next weeks we will post more information about PassiveCron and cron.pw as we develop them, so stay tuned.

Something like this should work... $t = $templates->get('basic-page');//get the template $f = $t->fieldgroup->getField('summary', true);//get the field in context of this template $f->description = "This should be the description";//value of the field $fields->saveFieldgroupContext($f, $t->fieldgroup);//save new setting in context Edited for clarity... In this example, we are changing the description of the field 'summary' in the context of the template 'basic-page'.

Hi All, I am gladly posting my first site profile. Blue-VR Site Profile for ProcessWire Summary A site profile for corporate or personal website. Profile can be used with ProcessWire open source CMS/CMF version 2.3+. The front-end uses the Bootstrap 3.1 css framework for to get the responsiveness and mobile friendliness. Front-end Demo - bluevr.webcreate.lk Back-end Demo mode - bluevr-webcreate.lk/processwire (The username 'admin' and password 'bluevr2') Overall features * HTML5 & CSS3 + ({less}) * Build with bootstrap 3.1 * SEO Friendly * Clean & modern design * Responsive markup * Contact form and google map locations with multiple google markers * Testimonials using bxSlider * AIOM supports (Just install the module no need to touch the code) How to install Please take a copy of the latest ProcessWire (Replace the install, modules and templates directories with those in this profile, as shown below: - /site-default/install/ - /site-default/modules/ - /site-default/templates/ Make sure you do following steps as well 1. Add `tinymce` directory into /site-defaut. 2. Add the following two lines to your `/site/config.php` file: $config->prependTemplateFile = '_init.php'; $config->appendTemplateFile = '_main.php'; Download Github: https://github.com/gayanvirajith/BlueVrSiteProfile/ Credits I would like to thanks Ryan for giving us great CMS/CMF and modules. Hani AbuGhazaleh for a great module of Fieldtype: Select (AKA Drop Down) David Karich for providing such a nice module AIOM+. *** Please note that the site profile is still on testing stage. Thanks ------------------------------------------------------------------------ Edit: install instructions. Edit: Add credits Edit: Update live demo url Edit: Update back-end demo mode details

Greetings Recently uploaded my first site made within the amazing walls of ProcessWire. It's a very simple, yet professional, site for an accounting, tax, and business consultancy in Limbe, Cameroon. The site uses well-built templates (especially on the backend - I really love the way everything works with the editing pages on a per-template basis), and a custom module for the contact form, which runs a clear and concise validation service, powered by the respective Illuminate components (yes, I had to mingle Composer into the scene). Looking forward to many more sites in PW - as it is, I have three more to upload by the end of July. Hope you like it - feedback is always welcome. www.aegpartners-cm.com

This is really rough, but I have tested it and it does work $p = $pages->get("/test/"); $rf = "repeater_test"; //repeater field name $ptf = "pagetabletest"; //pagetable field name $ptt = "basic-page"; //pagetable template name foreach($p->$rf as $r){ $npt = new Page(); $npt->of(false); $npt->template = $ptt; $npt->parent = $p; foreach($r->fields as $f){ $npt->$f = $r->$f; } $npt->save(); $p->of(false); $p->$ptf->add($npt); $p->save(); } The key thing is that for this to work as is, the repeater field must include a title field, because this is used to generate the names of the child pages for the pagetable entries. You could of course manually add a title field in the loop when creating the $npt page. EDIT: You can ignore the need for a title by making the title hidden and not required in the context of the pagetable template and setting a value for the automatic page name format when setting up the pagetable field. For this to work, the pagetable field must be already set up and ready to go. If I had more time today, I would have enhanced this a little more regarding the title/name issue, but hopefully it should get you going.

Hi Mosravo, Welcome to PW! That's right. You can use any HTML, whatever, you like with ProcessWire and style it as you wish. The Site Profiles you talk about are sort of something of convenience, ready made for those who wish to use them. And even then, once you've installed them you can bend them left right or centre as you wish. In other words, there are no ProcessWire themes..

I normally use Ryan's "Page Edit Field Permission" Module on most of my customer's sites in conjunction with Hanna Code. I create custom text area fields which are then restricted to the Super-User only. That is where I place stuff such as Macrura is talking about in the above quote. That way the client never sees or has access to mess up the Hanna Code data. It has worked very nicely for me and my clients.

I'm using Repeater to give my editors the possibility to insert multiple instances of different types of content (dependencies ftw!) in one page. This works really well for the most pages. But on some pages, the backend takes ages to load, because of to many repeaters. The new PageTable module would probably speed things up for me. How could i convert my Repeater field to a PageTable field with all the content preserved? Thanks!

Hi everyone! I'd like to introduce PassiveCron - a module, which allows developers to schedule cronjobs - to you. This will be Conclurer's second Pro Module, following ProcessImageMinimize / minimize.pw. PassiveCron is available now as a beta version. What is it going to do? Have you ever been in a situation, in which ProcessWire ran out of PHP's max_execution_time, because you're doing cool tasks like resizing dozens of images using PIM? Or have you noticed site load performance issues when doing a lot of tasks simultaneously? PassiveCron will fix this by giving developers the ability to schedule tasks to future and / or repeating points in time run tasks asynchronously Isn't this exactly the same as LazyCron? No. LazyCron runs your tasks synchronously as your page loads. So running larger tasks will decrease your page's load performance. Instead of this, PassiveCron is able to run those tasks separately from your site loads, thanks to our new web service cron.pw, which will be released together with PassiveCron. How can I use this in my site / module? We will bundle PassiveCron with an easy-to-use API. Let's say you want to call a specific module action tomorrow at 8:00 am: $cron->tomorrow->at('8:00 am')->run('Class', 'Method'); Or do this specific cleanup task, every night at 3:00 am: $cron->every("day")->at("3:00 am")->run("Class", "Method"); Or just run this one large task asynchronously: $cron->run("Class", "Method"); How much will it cost? We are planning to give every ProcessWire site 200 task executions / day for free. For unlimited task executions per site, it'll be around 5€ (pay once, use forever). During the beta period, no payments will be available. Features overview Easy-to-use API for asynchronous task execution Integrable into existing modules for load time improvements No registration at cron.pw needed Pro Cache will be bypassed En- or disable PassiveCron per module Free minimize.pw background tasks Dashboard with reports per task So, what do you think? Is such a module what you need? Can you imagine additional features or do you have wishes for PassiveCron? Please tell us in the comments. Thank you very much!

$pages->find("template=x, pagearrayfield=$somepage"); Where $somepage might be a page or a or multiples ID's . If $somepage is a page object, it will converted to a string with it's ID so you don't have to write $somepage->id but you could. $pages->find("template=x, pagearrayfield=1230"); $pages->find("template=x, pagearrayfield=1230|1233|1203");

It doesn't have a theme system - but that means you can style it without any restrictions whatsoever. Stylewise, the better your HTML, CSS skills are, the better PW "theming" outcome is.

PW 2.4.4 on the dev branch...

Let's say you have a frontend form that, among other things, asks visitors to tell which Dutch province they come from. You generate the select options from 12 PW pages (there are 12 provinces). Of course, because these are existing PW pages and you did some solid coding the select options will be clean and because visitors can not type anything themselves you think that the only thing that could be submitted would be one of the 12 provinces. This is where you are wrong. Assumption is the mother of all fuckups. Maybe a clever hacker will be able to manipulate what goes into input->post. So instead of a province a bunch of evil code gets submitted. This is why you have to check that input->post matches one of the trusted values before submitting. In this case, the trusted values being the 12 provinces. So in the case of predefined select options it is not about sanitizing but more about checking/validating post data before processing the request.

So this reminds me of the joke about the man who asked is friend if the indicators (signals) on his car were working: "Yes it is, no it isn't, yes it is, no it isn't...."

Hear me out, guys! Based on extensive user surveys and after tremendous amounts of solo brainstorming (and other other proven methods, such as wearing all of the six thinking hats simultaneously) I've just come up with a new marketing strategy (and slogan) that will most definitely make us unbeatable: How's that for a slice of fried gold? .. and on a more serious note, I've also got tremendous amounts of respect for Kongondo and his work here. Never visited MODx boards and still don't know what the heck Wayfinder is, but he's done some pretty awesome stuff here too In my case it was Antti who threatened to break my legs brought ProcessWire to the company we both worked at back then. Ryan's video was my first contact with the system itself and the thing that really convinced me that Antti wasn't just delirious -- this thing actually looked great!

Textarea Markup inputfield Loosely based on core module InputfieldMarkup, InputfieldTextareaMarkup works with textareas (FieldtypeTextarea) and outputs plain text, markup and optionally values from other fields in Page Edit (backend). That output can be configured via field settings (Input tab) and then modified on a per-page basis, though only by superusers. For an example this: Hello World, I'm a {{template}}, my ID is {{id}} and my name is {{name}}! Would result in a non-editable (except by superusers) "markup field" with content along these lines: Hello World, I'm a basic-page, my ID is 1001 and my name is About! Content pulled from other fields is sanitised using $sanitizer->text() with default options, so no markup should get through, max length for individual field value is 255 etc. The module is available from GitHub. For more details check out README and/or modules directory page.

Here's a video of a module we're working on that I thought you guys might like. The module, Lister, provides a different type of Page List than the tree that you usually interact with in ProcessWire. It gives you a table of pages with customizable columns, filters and actions. Rather than try to explain what it does, I figured I'd show you. This module also uses a new (soon to be released) Inputfield invented by Apeisa, developed by me, and sponsored by Avoine, called InputfieldSelector – it's what you see on the configuration screen as well as the Filters tab. I recommend bumping up the size/quality to 720p so that you can properly see everything. The video has no sound... I tried to do one with narration, but that didn't work out.

Watched the opening game Bra - Kro. And was dissapointed kroatie did not win. They played much better game then Brazil. A schwalbe + japanese forune cookie = goal. Last years Brazil is running on lucky oil. 2morrow I will go to Museumplein Amsterdam to see the Netherlands vs Spain match - expected visitors 180.000 people!

I created a pull request at GitHub. Changed only like 5 lines. But should be much nicer now

You need to change your: != "" to: !== "" EDIT: It's a PHP zero empty thing Google "php empty zero" or something else along those lines.

+1 like

Thank you Sinnut you are the hero.

Hanna code is if you talk in MODX language, a combined snippet & chunk on steroids

Thank you so Kongondo. I updated the post.

I use for example this inside a function which get used on my main template, checking the current viewed page->id and at the end of the function I include $layout file that make up the code I want to display according to that page id. // see which page id is current one and create part of $selector switch ($page->id) { case '1171': // members // declare our variables first because they are used in all cases, then use SUB switch // we don't want to change variable $pages, just it's value. Change $layout $pages = $users; $layout = "./myinclude/members.inc"; // SUB switch to find user role. for now we let all roles see all roles switch (true) { // superuser case ($user->hasRole('38')) : $selector = "roles=38|1160|1170|1177"; break; // supplier case ($user->hasRole('1160')): $selector = "roles=38|1160|1170|1177"; break; // store case ($user->hasRole('1170')): $selector = "roles=38|1160|1170|1177"; break; // member default: $selector = "roles=38|1160|1170|1177"; break; } // end of SUB switch break; // end of case 1171 I use this to create the find() pages, but you can also use other code in the case's... // On that included file I start a double check, so sirect access is restricted // while the switch is still active, because this include file is inside the template if(!$user->isLoggedin()) { // redirect to login page $session->redirect("/login/"); }: Of course, the login is a seperate page, and one would never access the content without logging in first AND having the right role.

ps, please don't use my hat.

It's never wrong to test for a suspected outcome of the input. If you know the outcome should be a page id, and you know what template that page should have you can test and stop the script if it failt. // we want a page with the basic-page template $id = (int) $input->post->id; // typecast to integer, so we have an integer. $valid = false; if ($id) { // only if it's not 0, read zero $p = $pages->get($id); if ($p->template == 'basic-page') { $valid = true; } } // if valid is true, it's valid if ($valid) { echo 'Jeuhj jeuhj jippie jeej'; } I always test for a suspected outcome. Others will tell you more about security i think.

Thanks for sharing Gayan! It would be good to explicitly state in your install instructions that Site Profiles can only be installed on 'new' sites (newbie alert ). I know it is implicit here 'Please take a copy of the [latest ProcessWire]' but it could be clearer Edited to request clearer instructions...

Hi Melissa, I tried to reproduce this scenario on my local setup. It works for me. Here what I have done. Here is my templates structure └── news - Has templates/news.php file. Enable Allow Page Numbers (Templates > news > URLs Tab > Checked Allow Page Numbers?) └── month - (Template > month Family Tab > Allowed templates for parents(s) - news, Allowed template(s) for children - news_story) └── news_story (Template > news_story Family Tab > Allowed templates for parents(s) - month Here is my page structure └── News (uses news template) └── 2014 (uses year template) ├── Feb (uses month template) │ ├── Story-4 (uses news_story template) │ └── Story-5 (uses news_story template) └── Jan ├── Story-1 (uses news_story template) ├── Story-2 (uses news_story template) └── Story-3 (uses news_story template) I added fetching+pagination code in templates/news.php <?php if(!$page->template->allowPageNum) { // notify me to enable pagination in the template echo "<p class='alert label'>" . "This template needs page numbers enabled to support pagination!<br />" . "Go to: Admin - Setup - Templates - Edit: '$page->template' - URLs " . "</p>"; exit; } $results = $page->find("template=news_story, limit=3"); $pagination = $results->renderPager(); ?> <?php foreach ($results as $child): ?> <?php echo "<h4><a href='{$child->url}'>{$child->title}</a></h4>";?> <?php endforeach; ?> <div class="pagination"><?php echo $pagination;?></div> Hope this would help a little. Thanks Edit: Fixed some typo

Hey Nico. I have this installed now and testing. I'm using pw 2.4.0 and first attempt worked as expected. So far no major problems at all. Nice work. This may become standard in each of my sites as it is often requested. I'll report back if I find a bug.

@pleini Since you can create whatever fields you want you can also create whatever variants you want. On your template (not template file) you might want to have different tabs for different devices. However, since you want to have exactly the same data in all devices (wise choice), there is no need. You can do this as part of your template file, which is far more useful. Then the user does not have to worry about devices, the template files will sort that out. You can also use bits of php - so, for instance, you might want to break an article up into a series of iPhone sized swipeable pages, but just for phones. So, you use a bit of php to break your text up into the right sized junks and then use some sort of content slider to display them. On a Desktop, it would just show as one page. But this is all work you can do in your template files while leaving your templates/fields uncomplicated. I don't think Bootstrap has the equivilent of interchange, but I am sure there are plenty of jquery plugins out there that you could use. like response.js http://responsejs.com/

USE PROCESSWIRE’S API IN OTHER PHP APPS AND SHELL SCRIPTS

You can do this: $userid = $users->get("$userName")->id; $ps = $pages->find("created_users_id=$userid");

Is it possible to move the PageTable comments to a new Thread?

for devs easyphp project is also a great option but no vs! http://www.easyphp.org/

Individual images may not have a dedicated ID, but the page ID they belong to + the filename is always unique, so that's all you'd need. Of course, you could always manage pages-to-images on a 1-to-1 basis, but if you wanted to have a page with multiple images on it, each with their own URL, you could also enable URL segments for your template and output them like this: $filename = $input->urlSegmentStr; $image = $filename ? $page->images->get($filename) : null; if($image && $image instanceof Pageimage) { // output your image content echo "<img src='$image->url' alt='$image->description' />"; echo "<p>$image->description</p>"; } else { // output your regular content echo "<h1>$page->title</h1>$page->body"; } With regard to a likes system, is what you are looking for something similar to the likes system you see in our sites directory or the recommendations system in our modules directory (both are actually the same system). If so I can pass along a little more info on how that was done.

I was all the time waiting for posting only some seconds before you

Call me overly cautious, but I'd advice against self-managed VPS if this service needs to be highly secure and especially if you need a high level of availability. Anyone can manage a server when things go smooth -- install updates, add a few rules to a firewall and tweak Apache/PHP/MySQL settings. The real question is how well can you handle things going wrong; someone attacking your server, hardware or software failures (hardware issues are still very real even in this age of cloud computing, I'm afraid), restoring corrupted data etc. What about availability requirements -- do you need high availability and 24/7/365 support.. and if, can you really provide and guarantee that? A lot of time I'd recommend going with managed solution in one form or another rather than trying to do everything yourself. It depends a lot on the requirements and the nature of the service you're running, but the bottom line here is that unless you can guarantee that you're able to handle everything yourself, don't make any promises to the client you'll end up regretting.

@Joss Take a look at Semantic UI and UIKit

Hi Joss, Why not design it from scratch? I understand that BS and Foundation are fast starting points but don't they just complicate things by having to sift through all their code to work out what does what? Not to mentioning loading code you never use. BTW on your Stony site there's a typo in the footer: Site Design ©2012 Stony Webistes

ProcessWire's API doesn't use SQL queries -- it uses selectors. SQL injection is a non-issue in ProcessWire. ProcessWire does not get involved with database abstraction layers, so if you are executing SQL queries then you are using PHP and MySQL (mysqli). You can always add your own database abstraction layers to do whatever you want. But typical usage of ProcessWire for developing a site does not involve SQL. If you are using SQL for something and you want to stick with the DB driver PW is using (PHP's mysqli) then you eliminate SQL injection by either using prepared statements or escaping your strings before putting them in a query. Use it the way you are supposed to and SQL injection is a non issue. Is it possible your company was asking about the security of the software itself? ProcessWire's own queries are well protected against SQL injection, of course. SQL injection is a problem of bad code. If one uses the database driver in the way it is supposed to be used, then you are never subject to SQL injection. Btw, I don't know about what CakePHP is doing, but the whole idea of trying to protect the user from SQL injection (outside of the DB driver) sounds like a security problem in and of itself. We've seen this with PHP's magic quotes, which was meant to protect the user from SQL injection. Anything that tries to protect you from yourself ultimately encourages bad programming practices by making security a grey area. That fosters an environment where many think they don't have to sanitize and validate input, which becomes an even bigger security problem.