Jump to content
bwakad

sanitize what and how?

Recommended Posts

Searching the forum, and reading the API... but have not really seen a good explaining. I have the feeling, anything were people can input text, is need to be sanitized. In some cases I see selectorValue, in other cases I see pageName. But most of the time I see text, or textarea... I hope someone can explain.

for instance, let's assume I have this <select> where in this case, $field is "contract":

            echo "<select id='{$field}' name='{$field}'>
                      <option value=''>Any</option>";
                      foreach($pages->get("/{$field}/")->children() as $field) {
                         echo    "<option value='{$field->name}'>{$field->title} </option>";
                      } 
            echo "</select>";

normally with a input field where people can enter text, upon submission, you would do:

$member_page->contract = $sanitizer->text($input->post->contract);

with a textarea it would be:

$member_page->contract = $sanitizer->textarea($input->post->contract);

So, what about a dropdown <select> ???? It might be text, but it's not free input... do I need to sanitize?

Share this post


Link to post
Share on other sites

As far as I'm aware, you only need to santize actual user input like that typed in a textarea, or a url etc as they can basically type in whatever they wish. As your select boxes are predefined by you and can't be edited by your user, you don't need to santize it.

But someone feel free to correct me if I'm wrong.

Share this post


Link to post
Share on other sites

select boxes are predefined by you and can't be edited by your user...

Well, not by most users, but the users who might want to hack your site could easily build a request containing something nasty.

  • Like 3

Share this post


Link to post
Share on other sites

In this case, if you're serious about security, you would probably want to validate if the user input matches one or more of the select options. If user input != select options don't process the request. You can never assume that nobody is able to tamper with stuff, even if the options are seemingly predefined in your code.

  • Like 3

Share this post


Link to post
Share on other sites

but, how would you do with a dropdown value? I'm thinking, even the dropdown value is in fact a text (if not using integers), or not?

$sanitizer->textarea

$sanitizer->text

$sanitizer->???

Share this post


Link to post
Share on other sites

It depends on the type of value sent from the drop down. If it is an integer you typecast/sanitize it like so...

$cleanValue = (int) $input->post->name_of_select_value_field_sent;//note: name of the dropdown input field!

If it is a text you sanitize it first...

$cleanValue = $sanitizer->text($input->post->name_of_select_value_field_sent);//this is the name of the input!

Then you check if $cleanValue is in your array of clean values...

if(in_array($cleanValue, $arrayCleanValues))// blah blah
  • Like 5

Share this post


Link to post
Share on other sites
So, what about a dropdown <select> ? It might be text, but it's not free input... do I need to sanitize?

You should never trust form input. You can change values in a dropdown in the dom inspecter and submit those changes.

  • Like 6

Share this post


Link to post
Share on other sites

Thanks Martijn, I really have no experience (that I know of) with DOM inspector, but gladly take your word for it.

Looking at a form, most of the fields are :

<input type = text AND <input type = textarea.

The difference here is recognizable: $sanitizer->text AND $sanitizer->textarea

<option value = ....

Here, according to Kokondo's answer:  $sanitizer->text (again)

So, to be clear, any other field then textarea is ALWAYS $sanitizer->text ?

Just want to know this to not make mistakes.

Share this post


Link to post
Share on other sites

Thanks Martijn, I really have no experience (that I know of) with DOM inspector, but gladly take your word for it.

Looking at a form, most of the fields are :

<input type = text AND <input type = textarea.

The difference here is recognizable: $sanitizer->text AND $sanitizer->textarea

<option value = ....

Here, according to Kokondo's answer:  $sanitizer->text (again)

So, to be clear, any other field then textarea is ALWAYS $sanitizer->text ?

Just want to know this to not make mistakes.

I don't know who Kokondo is  :D but you sanitize according to the values you want. There's sanitizing for url friendly names, for texts, for emails, etc....

It's all documented here: http://processwire.com/api/variables/sanitizer/

The only thing you don't sanitize are passwords. BUT...you validate that they only contain characters you have pre-determined...Otherwise, if you sanitize passwords, you might change them and your users may not be able to log in...

Edited by kongondo

Share this post


Link to post
Share on other sites

Yes, sorry bout that. Typed your name, was thinking of the movie and then made it all wrong. lol

Okay, so again, it might have been my not reading correctly, but looking at the provided link I still do not see one that says USE ME!

Since a select is in fact a field: $sanitizer->fieldName($value) OR $sanitizer->name($value)

But then again, the value is a page name: $sanitizer->pageName($value)

And this one specifically says INPUT: $sanitizer->text($value) OR $sanitizer->textarea($value)

Then again, the pages are also considered to be part of url...

As you can see, with me, the confusion is complete! And as said by Soma one time, I'm a hard nut to crack... so please be patience

Share this post


Link to post
Share on other sites

If you want to use the values sent as..

  • email value use $sanitizer->email
  • name for a ProcessWire page that you don't care if it has upper case letters use $sanitizer->name. Name is used to build your url so this will be my-Upper-Case-URL
  • name for ProcessWire page that is more friendly $sanitizer->pageName so url will be my-lower-case-url
  • a valid selector string use $sanitizer->selectorValue
  • a valid string for a ProcesWire page $sanitizer->text
  • etc

Unless you are a developer (and even then this is rare) you will not need $sanitizer->fieldName or $sanitizer->selectorField.

Note, you are not limited to using the above according to my examples. For your own needs, you may want a string to be cleaned to remove dashes, etc. So, you can use $sanitizer->name in that case...

If the above still doesn't make sense...I'll eat my hat :-)

  • Like 6

Share this post


Link to post
Share on other sites

I actually got it. But was saying it, because we want to see Kongondo eat his hat...

  • Like 2

Share this post


Link to post
Share on other sites
On 6/10/2014 at 5:53 AM, kongondo said:

Unless you are a developer (and even then this is rare) you will not need $sanitizer->fieldName or $sanitizer->selectorValue.

Does this mean that PW sanitizes all database queries on its own? And that means unless I'm implementing my own $db->query() logic that I don't need to sanitize to prevent this kind of lesson:

exploits_of_a_mom.png

  • Like 1

Share this post


Link to post
Share on other sites

@bmacnaughton. That's not what I meant. What I meant is that ProcessWire offers you a number of tools to sanitise values. Depending on whether you are a frontend developer vs, say, a module developer, you will probably be using a subset of tools more than another subset. In other words, at the end of the day all input should be sanitised; the tools you use will vary depending on the job at hand.

  • Like 2

Share this post


Link to post
Share on other sites
5 minutes ago, kongondo said:

@bmacnaughton. That's not what I meant. What I meant is that ProcessWire offers you a number of tools to sanitise values. Depending on whether you are a frontend developer vs, say, a module developer, you will probably be using a subset of tools more than another subset. In other words, at the end of the day all input should be sanitised; the tools you use will vary depending on the job at hand.

Thanks - sanitizing input is important. But it's still  not clear to me whether PW sanitizes database query input or not. I think it does because otherwise every user would have to do so with every field that is stored. But most uses are sanitizing for specific types of data - email, field, page-name, etc.

So PW does sanitize DB queries, yes?

Share this post


Link to post
Share on other sites

Sanitization does not have much to do with queries per se. You sanitize user input not the query. And to answer the question about automatisms. When editing a page the fieldtypes of the fields add their own sanitisation based on how things are set up (see Fieldtype::sanitizeValue and child classes). Elsewhere there's nothing automatically sanitized.

  • Like 2

Share this post


Link to post
Share on other sites

Hello i have some wizzard and the radio group is always empty ? 
Do i make something wrong ? 

This is the Formexample 
 

<div class='tab-pane' id='type'>
    <h5 class='info-text'>Welchen Immobilientyp möchten Sie bewerten. </h5>
    <div class='row'>
        <div class='col-sm-12  '>
            <div class='col-sm-3 col-xs-6 '>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Ein/Zweifamilienhaus'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='lnr lnr-home'></i>
                        <p> Ein-/ Zweifamilienhaus</p>
                    </div>
                </div>
            </div>
            <div class='col-sm-3 col-xs-6 '>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Fertighaus / Fachwerkhaus'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='ti-home'></i>
                        <p>Fertighaus / Fachwerkhaus </p>
                    </div>
                </div>
            </div>
            <div class='col-sm-3 col-xs-6 '>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Doppelhaushälfte / Reihenhaus'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='ti-home'></i>
                        <p>Doppelhaushälfte / Reihenhaus </p>
                    </div>
                </div>
            </div>
            <div class='col-sm-3 col-xs-6'>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Grundstück'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='ti-package'></i>
                        <p>Grundstück</p>
                    </div>
                </div>
            </div>
        </div>
    </div>
</div>

This is my code to get the values 

 

       $art         = $sanitizer->text($input->post->imoart);

But its always empty ? 

What do i wrong ?   Thanks 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...