bwakad Posted June 9, 2014 Share Posted June 9, 2014 Searching the forum, and reading the API... but have not really seen a good explaining. I have the feeling, anything were people can input text, is need to be sanitized. In some cases I see selectorValue, in other cases I see pageName. But most of the time I see text, or textarea... I hope someone can explain. for instance, let's assume I have this <select> where in this case, $field is "contract": echo "<select id='{$field}' name='{$field}'> <option value=''>Any</option>"; foreach($pages->get("/{$field}/")->children() as $field) { echo "<option value='{$field->name}'>{$field->title} </option>"; } echo "</select>"; normally with a input field where people can enter text, upon submission, you would do: $member_page->contract = $sanitizer->text($input->post->contract); with a textarea it would be: $member_page->contract = $sanitizer->textarea($input->post->contract); So, what about a dropdown <select> ? It might be text, but it's not free input... do I need to sanitize? Link to comment Share on other sites More sharing options...
GuruMeditation Posted June 9, 2014 Share Posted June 9, 2014 As far as I'm aware, you only need to santize actual user input like that typed in a textarea, or a url etc as they can basically type in whatever they wish. As your select boxes are predefined by you and can't be edited by your user, you don't need to santize it. But someone feel free to correct me if I'm wrong. Link to comment Share on other sites More sharing options...
SteveB Posted June 9, 2014 Share Posted June 9, 2014 select boxes are predefined by you and can't be edited by your user... Well, not by most users, but the users who might want to hack your site could easily build a request containing something nasty. 3 Link to comment Share on other sites More sharing options...
SiNNuT Posted June 9, 2014 Share Posted June 9, 2014 In this case, if you're serious about security, you would probably want to validate if the user input matches one or more of the select options. If user input != select options don't process the request. You can never assume that nobody is able to tamper with stuff, even if the options are seemingly predefined in your code. 3 Link to comment Share on other sites More sharing options...
bwakad Posted June 10, 2014 Author Share Posted June 10, 2014 but, how would you do with a dropdown value? I'm thinking, even the dropdown value is in fact a text (if not using integers), or not? $sanitizer->textarea $sanitizer->text $sanitizer-> Link to comment Share on other sites More sharing options...
kongondo Posted June 10, 2014 Share Posted June 10, 2014 It depends on the type of value sent from the drop down. If it is an integer you typecast/sanitize it like so... $cleanValue = (int) $input->post->name_of_select_value_field_sent;//note: name of the dropdown input field! If it is a text you sanitize it first... $cleanValue = $sanitizer->text($input->post->name_of_select_value_field_sent);//this is the name of the input! Then you check if $cleanValue is in your array of clean values... if(in_array($cleanValue, $arrayCleanValues))// blah blah 5 Link to comment Share on other sites More sharing options...
Martijn Geerts Posted June 10, 2014 Share Posted June 10, 2014 So, what about a dropdown <select> ? It might be text, but it's not free input... do I need to sanitize? You should never trust form input. You can change values in a dropdown in the dom inspecter and submit those changes. 6 Link to comment Share on other sites More sharing options...
bwakad Posted June 10, 2014 Author Share Posted June 10, 2014 Thanks Martijn, I really have no experience (that I know of) with DOM inspector, but gladly take your word for it. Looking at a form, most of the fields are : <input type = text AND <input type = textarea. The difference here is recognizable: $sanitizer->text AND $sanitizer->textarea <option value = .... Here, according to Kokondo's answer: $sanitizer->text (again) So, to be clear, any other field then textarea is ALWAYS $sanitizer->text ? Just want to know this to not make mistakes. Link to comment Share on other sites More sharing options...
kongondo Posted June 10, 2014 Share Posted June 10, 2014 (edited) Thanks Martijn, I really have no experience (that I know of) with DOM inspector, but gladly take your word for it. Looking at a form, most of the fields are : <input type = text AND <input type = textarea. The difference here is recognizable: $sanitizer->text AND $sanitizer->textarea <option value = .... Here, according to Kokondo's answer: $sanitizer->text (again) So, to be clear, any other field then textarea is ALWAYS $sanitizer->text ? Just want to know this to not make mistakes. I don't know who Kokondo is but you sanitize according to the values you want. There's sanitizing for url friendly names, for texts, for emails, etc.... It's all documented here: http://processwire.com/api/variables/sanitizer/ The only thing you don't sanitize are passwords. BUT...you validate that they only contain characters you have pre-determined...Otherwise, if you sanitize passwords, you might change them and your users may not be able to log in... Edited June 10, 2014 by kongondo Link to comment Share on other sites More sharing options...
bwakad Posted June 10, 2014 Author Share Posted June 10, 2014 Yes, sorry bout that. Typed your name, was thinking of the movie and then made it all wrong. lol Okay, so again, it might have been my not reading correctly, but looking at the provided link I still do not see one that says USE ME! Since a select is in fact a field: $sanitizer->fieldName($value) OR $sanitizer->name($value) But then again, the value is a page name: $sanitizer->pageName($value) And this one specifically says INPUT: $sanitizer->text($value) OR $sanitizer->textarea($value) Then again, the pages are also considered to be part of url... As you can see, with me, the confusion is complete! And as said by Soma one time, I'm a hard nut to crack... so please be patience Link to comment Share on other sites More sharing options...
kongondo Posted June 10, 2014 Share Posted June 10, 2014 If you want to use the values sent as.. email value use $sanitizer->email name for a ProcessWire page that you don't care if it has upper case letters use $sanitizer->name. Name is used to build your url so this will be my-Upper-Case-URL name for ProcessWire page that is more friendly $sanitizer->pageName so url will be my-lower-case-url a valid selector string use $sanitizer->selectorValue a valid string for a ProcesWire page $sanitizer->text etc Unless you are a developer (and even then this is rare) you will not need $sanitizer->fieldName or $sanitizer->selectorField. Note, you are not limited to using the above according to my examples. For your own needs, you may want a string to be cleaned to remove dashes, etc. So, you can use $sanitizer->name in that case... If the above still doesn't make sense...I'll eat my hat 6 Link to comment Share on other sites More sharing options...
Martijn Geerts Posted June 10, 2014 Share Posted June 10, 2014 @kongondo: I Love to see that that ! Kokondo the magic hat eater ! 2 Link to comment Share on other sites More sharing options...
bwakad Posted June 10, 2014 Author Share Posted June 10, 2014 lol. then maybe I need to say "don't understand" Link to comment Share on other sites More sharing options...
SiNNuT Posted June 10, 2014 Share Posted June 10, 2014 In your example it's not so much about sanitizing but more about validating (checking) if the user input matches one of your intended options. Kongondo's example does exactly that. Almost the same is this: http://stackoverflow.com/questions/5627747/validating-select-box-with-php Maybe this helps to grasp the idea. 3 Link to comment Share on other sites More sharing options...
bwakad Posted June 10, 2014 Author Share Posted June 10, 2014 I actually got it. But was saying it, because we want to see Kongondo eat his hat... 2 Link to comment Share on other sites More sharing options...
bmacnaughton Posted February 13, 2017 Share Posted February 13, 2017 On 6/10/2014 at 5:53 AM, kongondo said: Unless you are a developer (and even then this is rare) you will not need $sanitizer->fieldName or $sanitizer->selectorValue. Does this mean that PW sanitizes all database queries on its own? And that means unless I'm implementing my own $db->query() logic that I don't need to sanitize to prevent this kind of lesson: 1 Link to comment Share on other sites More sharing options...
kongondo Posted February 13, 2017 Share Posted February 13, 2017 @bmacnaughton. That's not what I meant. What I meant is that ProcessWire offers you a number of tools to sanitise values. Depending on whether you are a frontend developer vs, say, a module developer, you will probably be using a subset of tools more than another subset. In other words, at the end of the day all input should be sanitised; the tools you use will vary depending on the job at hand. 2 Link to comment Share on other sites More sharing options...
bmacnaughton Posted February 13, 2017 Share Posted February 13, 2017 5 minutes ago, kongondo said: @bmacnaughton. That's not what I meant. What I meant is that ProcessWire offers you a number of tools to sanitise values. Depending on whether you are a frontend developer vs, say, a module developer, you will probably be using a subset of tools more than another subset. In other words, at the end of the day all input should be sanitised; the tools you use will vary depending on the job at hand. Thanks - sanitizing input is important. But it's still not clear to me whether PW sanitizes database query input or not. I think it does because otherwise every user would have to do so with every field that is stored. But most uses are sanitizing for specific types of data - email, field, page-name, etc. So PW does sanitize DB queries, yes? Link to comment Share on other sites More sharing options...
LostKobrakai Posted February 13, 2017 Share Posted February 13, 2017 Sanitization does not have much to do with queries per se. You sanitize user input not the query. And to answer the question about automatisms. When editing a page the fieldtypes of the fields add their own sanitisation based on how things are set up (see Fieldtype::sanitizeValue and child classes). Elsewhere there's nothing automatically sanitized. 2 Link to comment Share on other sites More sharing options...
iNoize Posted July 25, 2019 Share Posted July 25, 2019 Hello i have some wizzard and the radio group is always empty ? Do i make something wrong ? This is the Formexample <div class='tab-pane' id='type'> <h5 class='info-text'>Welchen Immobilientyp möchten Sie bewerten. </h5> <div class='row'> <div class='col-sm-12 '> <div class='col-sm-3 col-xs-6 '> <div class='choice' data-toggle='wizard-radio'> <input type='radio' name='imoart' value='Ein/Zweifamilienhaus'> <div class='card card-checkboxes card-hover-effect'> <i class='lnr lnr-home'></i> <p> Ein-/ Zweifamilienhaus</p> </div> </div> </div> <div class='col-sm-3 col-xs-6 '> <div class='choice' data-toggle='wizard-radio'> <input type='radio' name='imoart' value='Fertighaus / Fachwerkhaus'> <div class='card card-checkboxes card-hover-effect'> <i class='ti-home'></i> <p>Fertighaus / Fachwerkhaus </p> </div> </div> </div> <div class='col-sm-3 col-xs-6 '> <div class='choice' data-toggle='wizard-radio'> <input type='radio' name='imoart' value='Doppelhaushälfte / Reihenhaus'> <div class='card card-checkboxes card-hover-effect'> <i class='ti-home'></i> <p>Doppelhaushälfte / Reihenhaus </p> </div> </div> </div> <div class='col-sm-3 col-xs-6'> <div class='choice' data-toggle='wizard-radio'> <input type='radio' name='imoart' value='Grundstück'> <div class='card card-checkboxes card-hover-effect'> <i class='ti-package'></i> <p>Grundstück</p> </div> </div> </div> </div> </div> </div> This is my code to get the values $art = $sanitizer->text($input->post->imoart); But its always empty ? What do i wrong ? Thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now