Hi, I agree that data cleaning and sanitization is best kept out of the controller and in the model. However, before I present my solution and for the sake of completeness, there are two functions, sanitize::paranoid and sanitize::cleanArray that work from the controller. I and others have found that cleanArray is useful but limiting, e.g. it strips characters from email addresses and phone numbers and doesn't seem to protect against JS code. Paranoid is perfect but is only useful on a var by var basis from the controller.
So, my solution to clean up data before save is as follows: 1) In appModel put the function found at http://pastebin.co.uk/12244 2) Still in appModel put the following function: /* * Calls the global sanitize method and sanitizes data via paranoid. * Allowed Chars passed in via an allowedChars array in individual models * @return must return boolean true otherwise save execution will abor **/ function beforeValidate() { $this->__sanitize($this->data); return true; } 3) So now, your app will run each item of a $this->data array through sanitize::paranoid() and will strip out everything except alphanumeric characters. I operate on the basis that you should remove everything and then create a whitelist of allowed characters for each field in your model. To do this, in each model create a protected array called $allowedChars as follows: protected $allowedChars = array(); If you have two fields in your model, lets say an ID and an email, you would want only numbers in the ID field but the email field should contain the special characters @, ., -, _. To do this, your $allowedChars would appear as: protected $allowedChars = array('email' => array('@', ',', '.', '-', '_')); Effectively the second array in $allowedChars is the second var of the sanitize::paranoid function. If you look carefully at my __sanitize function you will see there are some shortcuts, called 'default', 'datetime', 'markdown' and 'textarea'. These contain pre-written groups of allowed characters. So for a datetime field (not created or modified, you don't need to do anything with those) you could write your $allowedChars array as: protected $allowedChars = array('date' => array( 'datetime')); You can combine characters and shortcuts as well, e.g. protected $allowedChars = array('date' => array( 'datetime', '@', 'markdown', '-', '/')); What do people think of that type of approach? One important note, this does not clean up inputs used for search or filtering and you would need to call paranoid for those inputs. I am working on a beforeFind version of the above but it is not so quick. HTH, Ianh On Mar 24, 7:45 am, "Michael Tuzi" <[EMAIL PROTECTED]> wrote: > I thought that data cleaning should be done prior to a save, so I > tried using stripAll in the model as follows: > > function beforeSave() > { > require_once('sanitize.php'); > $cleaner = new Sanitize(); > > $profile = $this->data; > $fields['Profile'] = $this->getColumnTypes(); > foreach ($fields['Profile'] as $k => $v) > { > if (isset($profile['Profile'][$k])) > { > if (($v == 'string') || ($v == 'text')) > { > $fields['Profile'][$k] = > $this->RequestHandler->stripAll[$profile['Profile'][$k]]; > > } > else > { > $fields['Profile'][$k] = $profile['Profile'][$k]; > } > } > else { > $fields['Profile'][$k] = ''; > } > } > $cleaner->cleanArray($fields); > } > > But I get this warning: > Undefined property: Profile::$RequestHandler, because the components > array isn't defined in the model. It's in the controller. Any > suggestions on how I might move some of this cleaning work out of the > controller? > > Thanks in advance, > > Michael Tuzi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
