Jump to content

sanitization of textarea


Frank Vèssia
 Share

Recommended Posts

the entire code is:

<?
require_once('../index.php');
$wallmessage = new Page();
$wallmessage->template =  $wire->templates->get("wallmessage");
$userid = $wire->user->id;
$find=$wire->pages->get("$userid")->find("template=wall");
if (count($find)==0){
$w = new Page();
$w->template =  $wire->templates->get("wall");
$w->parent = $wire->pages->get($userid);
$w->title = "Bacheca";
$w->name = $w->title;
$w->save();
}
$wallmessage->parent = $wire->pages->get($userid)->child("id=1043");

$wallmessage->title =    $wire->sanitizer->textarea(substr($_POST['wall'],0,20)).rand(0,1000);
$wallmessage->message =  $wire->sanitizer->textarea($_POST['wall']); 
$wallmessage->name = $wallmessage->title;
$wallmessage->save();
?>
Link to comment
Share on other sites

there is nothing more than this code. I have a simple form with a textarea and on submit i create a page child of the user in this way user->wall->message.  If a user doesn't have any message, first i create the main node, a wall page, parent of all messages. 

That's my form:

<form method="post" action="" class="form-stacked" id="wallform">
    <div class="clearfix"><label for="wall">Condividi i tuoi pensieri con tutti</label>
               <div class="input">
                 <textarea name="wall" id="wall" rows="2" cols="100" style="width:500px"></textarea>
               </div>
           </div>
   <input type="submit" value="Pubblica" class="btn primary" id="submit" />
</form>

and this is the jquery handler (because i don't refresh the page on submit)

$(document).ready(function(){

$("#wallform").validate({
	debug: false,
	rules: {
		wall: "required"
	},
	messages: {
		wall: "Scrivi qualcosa da condividere",
	},
	submitHandler: function(form) {
		$.post('/process/addwall.php', $("#wallform").serialize(), function(data) {
		    $("#walllist").fadeOut("slow").load('/process/walldisplay.php?call=external').fadeIn('slow');
		    $("#wall").val(''); 
		});
	}
});

});
Link to comment
Share on other sites

If i write something with ' char the system add \ => \'.

How can i save my text correctly?

The problem is that you are referencing $_POST directly, and your PHP must have magic_quotes enabled.

Your best bet is to use the $input->post var that ProcessWire provides, rather than $_POST, because PW checks for things like magic_quotes and accounts for them. Here is your example modified to use the $input->post rather than $_POST.

$wallmessage->message =  $wire->sanitizer->textarea($input->post->wall);

For post vars that you are going to typecast as integers or the like, it doesn't really matter whether you use $_POST or $input->post. But for anything with text in it, use $input->post because you won't have to worry about whether the PHP install has magic_quotes turned on.

The $input var also provides the same for GET and COOKIE vars as well, in addition to some other handy features. Here is more about it: http://processwire.com/api/variables/input/

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...