Martin Muzatko

validate field using ___processField

Recommended Posts

Hello!

I'm trying to use the data I create in Processwire as much as possible.

So for a form, I try to use the fields description, name and also its built-in validation rules I defined in ProcessWire on the front-end. (minlength, ranges, patterns, etc)

I already looked into this tutorial, but it is using external resources to validate the form.

Since ProcessWire does all the heavy lifting, when processing data, I don't have to sanitize anything - ___processInput should do the job just fine.

However, it is not actually working correctly. 

$fields = $templates->get('user')->fields;
$submission = $input->post;
foreach ($submission as $key => $value) {
    $field = $fields->{$key};
    if ($field instanceof Field) {
        $field = $field->getInputfield($user);
        $field->___processInput(new WireInputData([$key => $value]));
        var_dump($field->getErrors(true)); // retrieve validation error
    }
}

This works for some constraints, but the values are not correctly validated.

Example: 

postman.thumb.jpg.f81575155a7d8cca2f22fe894089090a.jpg

All the fields are required and zip is an integer field.

Yet, I get no validation error for zip, although it was entered as a string, and not an integer. Funny enough: if I provide a number outside the range, I get "Specified value 2 removed because it is out of bounds (min=1000, max=99999)".
firstname will not return any error for being a required field.

From what I have looked through the source code, there is no check for "required". Some fields only validate on setAttribute. Am I missing anything or am I doomed to build my own validation process?

Thank you in advance!

Best,
Martin

Share this post


Link to post
Share on other sites

I've read a lot into this tutorial, which uses the built-in validation:

Thank you a lot for that @Soma!

Although, CSRF does not work correctly, so I read through this topic here: 

But I can't find a clue, why when ajax-posting to my form, this fails.

 

Share this post


Link to post
Share on other sites

@matjazp I'm not sure. I made it now work with the following:

 

$data = new WireInputData([
    'email' => $input->post->email,
    'username' => $input->post->username,
    'species' => $input->post->species,
    'firstname' => $input->post->firstname,
    'lastname' => $input->post->lastname,
    'password' => $input->post->password,
    'password_repeat' => $input->post->password_repeat,
    'email' => $input->post->email,
    'street' => $input->post->street,
    'zip' => $input->post->zip,
    'city' => $input->post->city,
    'country' => $input->post->country,
    'birthday' => $input->post->birthday
]);

$token = $session->CSRF->getTokenName();
$data->$token = $session->CSRF->getTokenValue();

$post = $input->post;
$post->setArray(array_merge($data->getArray(), $post->getArray()));

 

Share this post


Link to post
Share on other sites
3 hours ago, Martin Muzatko said:

$token = $session->CSRF->getTokenName(); 
$data->$token = $session->CSRF->getTokenValue();

 

You shouldn't use the actual token value you get from the session, you must use the value from the guest. The whole premise of CSRF (cross site request forgery) protection is to detect requests with invalid/missing tokens, so you know they're originated from a form on your site.

If you don't use the posted value (a field starting with TOKEN in $input->post and its value that is sent with the request) you're practically removing CSRF protection altogether.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By androbey
      Hello again! 

      Unfortunately I came across another problem. 

      I have a "regular" ProcessWire setup and want to create a separate php script. That script should be executed by a cron job and is bootstrapped with my PW setup. Main goal is to send mails which are stored in a email field. 
      My problem: I want to access a specific field from a template where only specific users have access to. Right now, the cron job is executed as "guest", of course. 

      How can I bypass this restriction, so that I have access to that specific field (it's only one email field)? 

      Does it make sense to set current user via api? 

      Hope you can help me out there.

      Cheers,
      Andreas
    • By Sonia Margollé
      I have a problem and I don't understand. I have a profield table with different fields and a select field.
      I did like it's instructed and put "value=label".
      But when I'm trying to output the select field with var_dump (to debug),  it's indicated that the field is a string that contains the value.
      Why is it a string ?  when I try  myselectfield->value  or label or title I have an error saying I'm trying to get a property on a non-object ...
      Anyone ? 
    • By thomasaull
      I recently started to build Vue SPAs with ProcessWire as the backend, connected with a REST API. Thanks to code and the help of @LostKobrakai (How to use FastRoute with ProcessWire) and @clsource (REST-Helper) I got it up and running pretty quickly and now have put all of it in a site profile for others to use. It includes the REST API with routing for different endpoints, JWT Auth and a simple Vue SPA which shows the process of logging in a user (nevertheless, you don't have to use the Vue part, the API will work on it's own).
      Check it out here: https://github.com/thomasaull/RestApiProfile
      I'm pretty sure, it's not the perfect or most sophisticsted solution, but it gets the job done for me…
      Feedback or Improvements are very welcome
    • By mike62
      I'm trying to echo a field from another page, in my footer. I have a Website Settings page (id 1006) with several fields for general site settings, like store hours (field is named store_hours). In the footer, I have this:
      <?php $settingsPage = $pages->get(1006); echo $settingsPage->store_hours; ?> Shouldn't that output the contents of that field? Right now it's printing a "0" (zero) on the page.
      Elsewhere in the same footer template file, I have this code and it works fine:
      <?php $homepage = $pages->get(1); echo $homepage->body; ?> Does it have anything to do with the fact that the field is organized into one of these tabs, at the top of the page editor?
      (disclaimer: I'm new to PW, and have inherited this site from another developer; that's why I don't know how or why some of this stuff is set up the way it is).
      Thanks!