sanitization of textarea

[Frank Vèssia]

I'm trying to save page via Api. I've added this code for managing a textarea.

$wallmessage->message =  $wire->sanitizer->textarea($_POST['wall']); 

If i write something with ' char the system add \ => \'.

How can i save my text correctly?

[Soma]

I can't reproduce this. It does work for me as expected.

Do you have more details on your DB charset setup and more code of what else is there? What PW version?

[Frank Vèssia]

the entire code is:

<?
require_once('../index.php');
$wallmessage = new Page();
$wallmessage->template =  $wire->templates->get("wallmessage");
$userid = $wire->user->id;
$find=$wire->pages->get("$userid")->find("template=wall");
if (count($find)==0){
$w = new Page();
$w->template =  $wire->templates->get("wall");
$w->parent = $wire->pages->get($userid);
$w->title = "Bacheca";
$w->name = $w->title;
$w->save();
}
$wallmessage->parent = $wire->pages->get($userid)->child("id=1043");

$wallmessage->title =    $wire->sanitizer->textarea(substr($_POST['wall'],0,20)).rand(0,1000);
$wallmessage->message =  $wire->sanitizer->textarea($_POST['wall']); 
$wallmessage->name = $wallmessage->title;
$wallmessage->save();
?>

[Soma]

Looks ok. But this alone doesn't help much, I still can't reproduce.

Not sure if something like $wallmessage->setOutputFormatting(false) could help here?

[Frank Vèssia]

there is nothing more than this code. I have a simple form with a textarea and on submit i create a page child of the user in this way user->wall->message.  If a user doesn't have any message, first i create the main node, a wall page, parent of all messages. 

That's my form:

<form method="post" action="" class="form-stacked" id="wallform">
    <div class="clearfix"><label for="wall">Condividi i tuoi pensieri con tutti</label>
               <div class="input">
                 <textarea name="wall" id="wall" rows="2" cols="100" style="width:500px"></textarea>
               </div>
           </div>
   <input type="submit" value="Pubblica" class="btn primary" id="submit" />
</form>

and this is the jquery handler (because i don't refresh the page on submit)

$(document).ready(function(){

$("#wallform").validate({
	debug: false,
	rules: {
		wall: "required"
	},
	messages: {
		wall: "Scrivi qualcosa da condividere",
	},
	submitHandler: function(form) {
		$.post('/process/addwall.php', $("#wallform").serialize(), function(data) {
		    $("#walllist").fadeOut("slow").load('/process/walldisplay.php?call=external').fadeIn('slow');
		    $("#wall").val(''); 
		});
	}
});

});

[Soma]

I assume in other cases it's working? DB setup is utf8_general_ci?

Could it be the serialize form jquery function escaping 's? Have you tried without jquery validate ajax?

[Frank Vèssia]

really strange, posting the form without jquery give me the same situation...The DB is correct utf8_general_ci

[ryan]

If i write something with ' char the system add \ => \'.

How can i save my text correctly?

The problem is that you are referencing $_POST directly, and your PHP must have magic_quotes enabled.

Your best bet is to use the $input->post var that ProcessWire provides, rather than $_POST, because PW checks for things like magic_quotes and accounts for them. Here is your example modified to use the $input->post rather than $_POST.

$wallmessage->message =  $wire->sanitizer->textarea($input->post->wall);

For post vars that you are going to typecast as integers or the like, it doesn't really matter whether you use $_POST or $input->post. But for anything with text in it, use $input->post because you won't have to worry about whether the PHP install has magic_quotes turned on.

The $input var also provides the same for GET and COOKIE vars as well, in addition to some other handy features. Here is more about it: http://processwire.com/api/variables/input/

[Frank Vèssia]

Oh thanks, yes i tried to use $input but since i'm outside the PW root i need to use $wire->input and not $input, that's was my mistake. Thanks

[ryan]

You can also do wire('input'). Same result, but in a function instead. The advantage of the function is that you can call it anywhere and $wire doesn't have to be in scope.