Jump to content

sanitize what and how?


bwakad
 Share

Recommended Posts

Searching the forum, and reading the API... but have not really seen a good explaining. I have the feeling, anything were people can input text, is need to be sanitized. In some cases I see selectorValue, in other cases I see pageName. But most of the time I see text, or textarea... I hope someone can explain.

for instance, let's assume I have this <select> where in this case, $field is "contract":

            echo "<select id='{$field}' name='{$field}'>
                      <option value=''>Any</option>";
                      foreach($pages->get("/{$field}/")->children() as $field) {
                         echo    "<option value='{$field->name}'>{$field->title} </option>";
                      } 
            echo "</select>";

normally with a input field where people can enter text, upon submission, you would do:

$member_page->contract = $sanitizer->text($input->post->contract);

with a textarea it would be:

$member_page->contract = $sanitizer->textarea($input->post->contract);

So, what about a dropdown <select> ???? It might be text, but it's not free input... do I need to sanitize?

Link to comment
Share on other sites

As far as I'm aware, you only need to santize actual user input like that typed in a textarea, or a url etc as they can basically type in whatever they wish. As your select boxes are predefined by you and can't be edited by your user, you don't need to santize it.

But someone feel free to correct me if I'm wrong.

Link to comment
Share on other sites

select boxes are predefined by you and can't be edited by your user...

Well, not by most users, but the users who might want to hack your site could easily build a request containing something nasty.

  • Like 3
Link to comment
Share on other sites

In this case, if you're serious about security, you would probably want to validate if the user input matches one or more of the select options. If user input != select options don't process the request. You can never assume that nobody is able to tamper with stuff, even if the options are seemingly predefined in your code.

  • Like 3
Link to comment
Share on other sites

but, how would you do with a dropdown value? I'm thinking, even the dropdown value is in fact a text (if not using integers), or not?

$sanitizer->textarea

$sanitizer->text

$sanitizer->???

Link to comment
Share on other sites

It depends on the type of value sent from the drop down. If it is an integer you typecast/sanitize it like so...

$cleanValue = (int) $input->post->name_of_select_value_field_sent;//note: name of the dropdown input field!

If it is a text you sanitize it first...

$cleanValue = $sanitizer->text($input->post->name_of_select_value_field_sent);//this is the name of the input!

Then you check if $cleanValue is in your array of clean values...

if(in_array($cleanValue, $arrayCleanValues))// blah blah
  • Like 5
Link to comment
Share on other sites

Thanks Martijn, I really have no experience (that I know of) with DOM inspector, but gladly take your word for it.

Looking at a form, most of the fields are :

<input type = text AND <input type = textarea.

The difference here is recognizable: $sanitizer->text AND $sanitizer->textarea

<option value = ....

Here, according to Kokondo's answer:  $sanitizer->text (again)

So, to be clear, any other field then textarea is ALWAYS $sanitizer->text ?

Just want to know this to not make mistakes.

Link to comment
Share on other sites

Thanks Martijn, I really have no experience (that I know of) with DOM inspector, but gladly take your word for it.

Looking at a form, most of the fields are :

<input type = text AND <input type = textarea.

The difference here is recognizable: $sanitizer->text AND $sanitizer->textarea

<option value = ....

Here, according to Kokondo's answer:  $sanitizer->text (again)

So, to be clear, any other field then textarea is ALWAYS $sanitizer->text ?

Just want to know this to not make mistakes.

I don't know who Kokondo is  :D but you sanitize according to the values you want. There's sanitizing for url friendly names, for texts, for emails, etc....

It's all documented here: http://processwire.com/api/variables/sanitizer/

The only thing you don't sanitize are passwords. BUT...you validate that they only contain characters you have pre-determined...Otherwise, if you sanitize passwords, you might change them and your users may not be able to log in...

Edited by kongondo
Link to comment
Share on other sites

Yes, sorry bout that. Typed your name, was thinking of the movie and then made it all wrong. lol

Okay, so again, it might have been my not reading correctly, but looking at the provided link I still do not see one that says USE ME!

Since a select is in fact a field: $sanitizer->fieldName($value) OR $sanitizer->name($value)

But then again, the value is a page name: $sanitizer->pageName($value)

And this one specifically says INPUT: $sanitizer->text($value) OR $sanitizer->textarea($value)

Then again, the pages are also considered to be part of url...

As you can see, with me, the confusion is complete! And as said by Soma one time, I'm a hard nut to crack... so please be patience

Link to comment
Share on other sites

If you want to use the values sent as..

  • email value use $sanitizer->email
  • name for a ProcessWire page that you don't care if it has upper case letters use $sanitizer->name. Name is used to build your url so this will be my-Upper-Case-URL
  • name for ProcessWire page that is more friendly $sanitizer->pageName so url will be my-lower-case-url
  • a valid selector string use $sanitizer->selectorValue
  • a valid string for a ProcesWire page $sanitizer->text
  • etc

Unless you are a developer (and even then this is rare) you will not need $sanitizer->fieldName or $sanitizer->selectorField.

Note, you are not limited to using the above according to my examples. For your own needs, you may want a string to be cleaned to remove dashes, etc. So, you can use $sanitizer->name in that case...

If the above still doesn't make sense...I'll eat my hat :-)

  • Like 6
Link to comment
Share on other sites

  • 2 years later...
On 6/10/2014 at 5:53 AM, kongondo said:

Unless you are a developer (and even then this is rare) you will not need $sanitizer->fieldName or $sanitizer->selectorValue.

Does this mean that PW sanitizes all database queries on its own? And that means unless I'm implementing my own $db->query() logic that I don't need to sanitize to prevent this kind of lesson:

exploits_of_a_mom.png

  • Like 1
Link to comment
Share on other sites

@bmacnaughton. That's not what I meant. What I meant is that ProcessWire offers you a number of tools to sanitise values. Depending on whether you are a frontend developer vs, say, a module developer, you will probably be using a subset of tools more than another subset. In other words, at the end of the day all input should be sanitised; the tools you use will vary depending on the job at hand.

  • Like 2
Link to comment
Share on other sites

5 minutes ago, kongondo said:

@bmacnaughton. That's not what I meant. What I meant is that ProcessWire offers you a number of tools to sanitise values. Depending on whether you are a frontend developer vs, say, a module developer, you will probably be using a subset of tools more than another subset. In other words, at the end of the day all input should be sanitised; the tools you use will vary depending on the job at hand.

Thanks - sanitizing input is important. But it's still  not clear to me whether PW sanitizes database query input or not. I think it does because otherwise every user would have to do so with every field that is stored. But most uses are sanitizing for specific types of data - email, field, page-name, etc.

So PW does sanitize DB queries, yes?

Link to comment
Share on other sites

Sanitization does not have much to do with queries per se. You sanitize user input not the query. And to answer the question about automatisms. When editing a page the fieldtypes of the fields add their own sanitisation based on how things are set up (see Fieldtype::sanitizeValue and child classes). Elsewhere there's nothing automatically sanitized.

  • Like 2
Link to comment
Share on other sites

  • 2 years later...

Hello i have some wizzard and the radio group is always empty ? 
Do i make something wrong ? 

This is the Formexample 
 

<div class='tab-pane' id='type'>
    <h5 class='info-text'>Welchen Immobilientyp möchten Sie bewerten. </h5>
    <div class='row'>
        <div class='col-sm-12  '>
            <div class='col-sm-3 col-xs-6 '>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Ein/Zweifamilienhaus'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='lnr lnr-home'></i>
                        <p> Ein-/ Zweifamilienhaus</p>
                    </div>
                </div>
            </div>
            <div class='col-sm-3 col-xs-6 '>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Fertighaus / Fachwerkhaus'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='ti-home'></i>
                        <p>Fertighaus / Fachwerkhaus </p>
                    </div>
                </div>
            </div>
            <div class='col-sm-3 col-xs-6 '>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Doppelhaushälfte / Reihenhaus'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='ti-home'></i>
                        <p>Doppelhaushälfte / Reihenhaus </p>
                    </div>
                </div>
            </div>
            <div class='col-sm-3 col-xs-6'>
                <div class='choice' data-toggle='wizard-radio'>
                    <input type='radio' name='imoart' value='Grundstück'>
                    <div class='card card-checkboxes card-hover-effect'>
                        <i class='ti-package'></i>
                        <p>Grundstück</p>
                    </div>
                </div>
            </div>
        </div>
    </div>
</div>

This is my code to get the values 

 

       $art         = $sanitizer->text($input->post->imoart);

But its always empty ? 

What do i wrong ?   Thanks 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...