Jump to content

pine3ree

Members
  • Content Count

    21
  • Joined

  • Last visited

Everything posted by pine3ree

  1. @LostKobrakai Hello, I don't even consider shared hosting without access outside the web-root. :-) Most of the companies I have experience with provide cpanel and offer high level of customization for php version and for enabling/disabling php modules (even if I am more a vps+terminal/console admin kind of guy). ....but I agree, it's not a high priority feature and it's targeted especially for developers. Most cms/cmf software put everything inside the web-root also because the installation process is much simpler and direct for less experience users. kind regards
  2. @strandoo same (no issues) here....using pw 3 + php 7.0 with page load times from 27 to 66 ms and the memory usage ranges from 2 to 4 MB. Can You give some details (number of db queries, number of fields, templates, pages, installed modules)?. I also suggest to try a clean basic-profile install and see if the issue disappears. Then enable 1 module at a time and see what happens using a second browser (or a private navigation window) for visiting as guest user. kind regards.
  3. @LostKobrakai Hello, I (respectfully) do not completely agree on that. .htaccess rules are implemented and forced by the web-server. If there is a security hole in a particular version of the webserver that is reflected onto the website. .htaccess rules do not always work as expected expecially if you are not the one controlling the web-server config (VPS setups or own server). More than one time I had issues with shared hosting. Even directory access protection (basic http auth) stopped working due to global rules invalidating/discarding some of my .htaccess rules that have been working (and still are) for years. And I am not talking about small hosting companies, but big and respectable/respected companies. .htaccess rules is a further layer of security you depend on, not relaying completely on it can be considered an improvement. Thus I always prefer having everything ("upload" folder included) outside the the web doc-root excluding the front script (index.php) and the static assets (or symbolic links to them). I also like to have a customizable directory structure to make things more difficult to guess from attackers. When possible (this does not depend on the cms/framework) I also like restricting php execution to the front script. Over the years (since year 2000 :-)) I've seen many kind of attacks, circumventing well programmed form handlers and uploading code as fake images. So in my opinion having only 1 php file and read-only static assets inside the webroot makes it a lot more difficult for bad guys. It's a feature that I'd like to see in PW and that I asked Ryan about a while ago. kind regards.
  4. Hello MrSnoozles, in Processwire template files are not actually templates and You can actually use them as controllers (see the "delayed approach" in pw tutorials). In template files You can manage the request ($input), build forms (InputfieldForm module instances) and assign variables which are later used in the included view file(s). (btw, I use the ".phtml" extension for my views/partials to distinguish them from template/controller files ".php"). If you ever worked with Silverstripe you can actually think of template files code as Silverstripe's Page_Controller classes ' method code. You can leverage pw's urlSegment feature to add sub-routes for the current page/template. If you have a contact-page template (/contact-us/) You can use a "submit" segment ($input->urlSegment(1)) and use "/contact-us/submit" as the form action, the same way You can add any route segment in a Silverstripe (Page_)Controller class. I don't find it useful to add code used only by the "contact-page" template in a global function inside (_func.php). As in Silverstripe cmf the segment approach has the advantage that it continues to work even if you change the url (name) of the page using that template. Think of template files as controllers: while in other frameworks you have to assign controllers to routes, in PW a route (Page path/url) is automatically linked to a peculiar controller (template) by the fact that the Page with that route is using that template. kind regards, maks feltrin
  5. The simpler solution is to always use: setlocale(LC_NUMERIC, 'C') after setting LC_ALL to custom locale. This helps avoiding a lot of issues as LC_NUMERIC tells the code parser how to output numeric expressions. For instance with: setlocale(LC_ALL, 'it_IT.UTF-8'); 1.234 will be written as 1,234 when used as string, like in string concatenation (as in db query builders) . But database and most other data endpoints still expect 1.234 for decimals. It is always better to use LC_NUMERIC 'C' and call numeric/monetary output formatting helpers explicitly in templates.
  6. Thank You, hope you enjoied your vacation. It was a real quick port I needed up and running. I'm sure that you - not being new at pw as am I - will be able to port the idea in a better and more elegant way into your more known and tested module. kindly
  7. Hello forum, a newbie question: having a multilingual setup, /sitemap.xml would be redirected to /en/sitemap.xml if language name is enableb for the default language (english in this example). I dont want to use the existing module because i don't want it loaded on each request and because i need more customization. So i decide to use the home page with urlSegments on, intercepting urlSegment(1) == 'sitemap.xml' only for the default language. Are there any cons in using urlSegments in the home page other than the need to render the 404 erro page for any other urlSegment? kind regards
  8. Hello Niko, i quiclky ported the wp shortcodes parser i made for SIlverstripe 3.1 to this: https://github.com/pine3ree/MarkupWPShortcodes of course being a port of the same library it's quite similar to yours. The module loads a default (*) definition file if found. You have also a public load($fullPath) to load other files other then default in templates. Or you can just use the add method. (*)I am in a hurry for a project so i didn't make it configurable, but that's easy to add. Inside the definition files, since are included inside the class you add shortcodes like this: $this->add('test1', function ($atts) { echo '<h3>This is a test shortcode with tag=test1</h3>'; }); in a template you can call: $shortcodes->load($config->paths->templates .'/shortcodes/extra.inc'); to add custom definitions for that template or simply, like your module: $shortcodes->add('test2', function ($atts) { echo '<h3>This is a test shortcode with tag=test2</h3>'; }); let me know if you have other suggestions to make it better, kind regards
  9. SHORTCODE DEFINITIONS FILE INCLUSION: Hello Niko, i was thinking.... - we could define a standard or configurable location for the shortcode definition file. - we could add an initialized property for the module - when $shortcode->initialized == false we force the shortcode load the definition file and set $shortcode->initialized = true . we check for initialized inside the render method, if not => load the file so if we don't need shortcode rendering in a page render we avoid loading the definition file use case (let's assume we wants to parse the body field) if ($body = $page->body) { echo $shortcode->render($body); } if !$body => the definition file would not be loaded. what do you think? (in silverstripe 3.1 i ported the wp shortcode parser and the callbacks definition were actually static methods in a static class) kind regards
  10. i understand this is a very old question... if $page is available wherever you define the shortcode closure: $shortcode->add('foo', function ($atts) use ($page) { //NOW I CAN USE $page here! }); but of course, wire() makes all the pw api vars available to you.
  11. Hello Soma, forgive my (maybe idiotic) question, but i'm still new at PW and so i would like to report why the module isn't working for me. i had a 500 server error, cheching the logs i saw a notice explaining that the constant PHP_TUSAGE was already defined, then i remembered... i use $page to implement widgets and to render a widget in a widget group i foreach-loop it and call $widget->render() on each widget page, so that they use their own simple no-header/no-footer templates files => this of course makes more than 1 call to ChromePhpLogger::startDebug(). Could it be possible to move start/stop debug elsewhere? I have recently used debugbar in pw, but in my case i added (inder the $config->debug+superuser condition) manually in my common header footer what was needed to make it work. kindly
  12. Hello LostKobrakai, i think this is an old objection, i mean it could be a valid one back in 2004~2005. Nowadays, I cannot think about websites working w/o javascript. When i started developing for the web i initially was against js dependency, but today we build entire apps relying on js. TV menus are built using js frameworks. So i think everyone can assume javascript is always enabled, and if it's not you add a noscript warning message close to the header. kindly
  13. This is the hp solution that i prefer using. To be more safe the autofilled value should be related to the session, like a javascript enabled csrf field. Otherwise if the value is constant, and someone wants to target the form it will just be a matter of adding a field with a predefined value (in this case just not empty).
  14. I completely agree, there is no standard safe way to protect form handlers from faked submission requests. So it's good to hear different opinions and have different solutions to choose from. Sharing experiences (good and bad) makes everyone better. As for me, in the last 6 months i moved from difficult captchas to a combination of simpler captchas + a hp field. kind regards
  15. Well, respectfully, i don't agree. Let me explain why. A common contact form consists usually of 4-5 fields. Add a honeypot field. That makes 5-6. An intelligent (does it exists) bot will just need to send 5-6 submissions each 1 with a different empty field to override the honeypot protection. I think we are expecting spambots doing that very soon as a rule. But the problem is if someone targets your forms. Sending automatic annoying (but valid) requests with an empty honeypot field is easy to do. If the contact form send an email to the site owner and possibly 1 to the requester if a mandtory contact email field exists we'll have 2 mail messages per fake request. And consider the consequences on mail servers and spam ip blockers. So I've always felt safer having also a little captcha telling humans apart. It doesn't need to be recaptchas...1-2 years ago it was almost impossible to get them right at the first try. While working with php/perl, I had been administrator of mail/web/db freebsd server for more than 10 years. When I had problems with spam, 80% of the times it originated from web hosts...so better stop the issue as soon as possible in the chain. Also the problem is not related to pw or this/that cmf/cms or even php. it exists whenever a form submission involves sensitive operations on the server side. kindly
  16. Inputfield{Type} VALIDATION / sanitizer BEHAVIOUR I used a few form builder components in various frameworks and cmfs. My preference is undoubtedly for ZF2 zend-form zend(-filter|-input-filter|-validator) and i use it in PW fronted site also. Since PW has its own form components used in the admin area i use it in my recent projects. There are a couple of things i think should be modified, i'll explain with an eample. i have a contact form which provides an email field InputfieldEmail and a message field InputfieldTextarea with maxlentgh=1024 when i process the form the internal validator/sanitizer empty the email field if nt valid and trim the textareafield if longer than 1024 chars. in my form i'd like to always use $field->value as the value attribute, but of course if i want to show the submitted data even if not valid to the user i would end up with an empty email field and a shorter message. i think that most common errors in email are single characters so the user would benefit to have the email field showing the wromg submitted data. The same goes for the message field. Maybe the user decides that the trimmed part was the most important part and the one to be sent. Of course, simply using $input i show the original data on form error, but i would like to have the data derived from $field->value as some other cleeanup is done in the field (as stripTags for instance). For instance in InputfieldEmail I think it could be better using the sanitizer to check for valid email and add the error for invalide email, but also returning the original value on error. what's your opinion? kind regards
  17. Hello @*Most Powerful Pony!*, implementing a captcha field is quite simple in PW. A captcha field basically needs to validate against a randomly generated value stored in a session. The value changes on every new captcha image generation. 1) for the matching part you can extend InputfieldText (in the same way InputfieldEmail is built) to add a string match validator, but i wouldn't bother. I use a std InputfieldText and check the value when processing the form against a session value. 2) Image / security code generation generation there are so many opensource classes you can use: - http://code.google.com/p/cool-php-captcha/ - https://github.com/Gregwar/Captcha - https://code.google.com/p/euphoric-form/source/browse/spam.php to name a few and simple to use examples what you need to do is create a new file (my-captcha-generator-file.php) which serves as image generator (it will output the raw image). In this file you include the file of your preferred captcha generator class and add a line (before the image output) to store the newly generated security code $session->captcha_code = $myCaptchaClassInstance->getTheCode(); // usually captcha generators have a method to get the generated code Now the image is sent to the browser through an img tag whose src url needs to be create by us. Basically: <img id="captcha-image" src="{image-generator-url-here}"> the {image-generator-url-here} must be a service that just return the raw image. We already have the file who outputs the raw image. To make it do that through a url I use this simple method: suppose we are building a contact form in a contact-page whose url is "/contact" !!The "contact-page" template need to have urlSegments enabled!! I will use the url /contact/captcha as the captcha generator service url in your "contact-page.php" template file check for the first segment $action = $sanitizer->name($input->urlSegment(0)); if ($action === 'captcha') { include 'my-captcha-generator-file.php'; // this output the raw image exit;// output the raw image and exit } so that your img src can be written as: <img id="captcha-image" src="<?php echo rtrim($page->url, '/'); ?>/captcha" alt=""> now you just need to process the form and check the captcha field value against $session->captcha_code Last considerations: if you want the url /contact/captcha not to be public, just check for $config->ajax and use an empty img src (or better a placeholder image) <img id="captcha-image" src="{placeholder}" alt=""> and change the source on $(document).ready(...) using a javascript ajax call. To regenerate the captcha w/o page reload using a button with html id="action-refresh-captcha": jQuery(function($) { $('#action-refresh-captcha').on('click', function(e) { var ms = (new Date()).getTime(); var src= '<?php echo rtrim($page->url, '/'); ?>/captcha?t=' + ms; $('#captcha-image').attr('src', src); e.preventDefault(); }); }); we just add a timestamp to force the browser to refresh the image src, in other words "Touching" again the captcha generator url by changing the img src html attribute will create a new security code stored in the session and the relative raw image.
  18. Thank You Martijn....yes i'm working on my 1st site with pw (after so many years with SS) and i noticed Ryan's addition before getting back here. The only addition left is the icons in the actions replacing the text and the mere possibility of using larger (fa-lg (+ fa-fw)) icons without touching the default admin styles, but let's hope Ryan add this little feature too, so i'll get rid of my 1st module as soon as possible. Don't bother trying it....what you get is exaclty what you see in the screenshot, and as you can see i didn't even bother to send it to the pw web site module section. sorry for your HD...if it's a SSD (i guess being a new mac) it would be the first time i heard one crashing ...and that makes me tremble too. If it's not, consider buyingone..it really changes your life and the time you save from waiting will repay you soon enough. kind regards to everyone.
  19. Hello Martijn, i did something similar as my first attempt to a pw module. Now i discovered yours. My module adds icons to the page actions (requires pw-dev labeled 2.4.4) and does not add js. It's a very quick and dirty module which uses the fotn icons of the wire core. Please check it out on github and let me know if it can be useful to onyone except me. https://github.com/pine3ree/AdminPageIcons kind regards, PS the pw project leader and this community are the kindest i ever found in web development.
  20. what about implementing the closure table pattern for specific templates and only for branches/leaves sharing the same template, as in trees of categories?
×
×
  • Create New...