I just realized this is not working properly in PHP4, must have something to do with passing the array by reference... the method worked fine on my laptop, where I have php5.2.1 installed, then I moved things to my desktop, the validation stopped working, and i went a little insane - I just upgraded to php5 on my desktop, and the problems seem to have gone away - just a heads up
On Mar 26, 2:59 am, "ianh" <[EMAIL PROTECTED]> wrote: > Hi, > > I agree thatdatacleaning and sanitization is best kept out of the > controller and in themodel. However, before I present my solution and > for the sake of completeness, there are two functions,sanitize::paranoid > andsanitize::cleanArray that work from the > controller. I and others have found that cleanArray is useful but > limiting, e.g. it strips characters from email addresses and phone > numbers and doesn't seem to protect against JS code. Paranoid is > perfect but is only useful on a var by var basis from the controller. > > So, my solution to clean updatabeforesaveis as follows: > > 1) In appModel put the function found athttp://pastebin.co.uk/12244 > > 2) Still in appModel put the following function: > > /* > * Calls the globalsanitizemethod and sanitizesdatavia paranoid. > * Allowed Chars passed in via an allowedChars array in individual > models > * @return must return boolean true otherwisesaveexecution will abor > **/ > function beforeValidate() > { > $this->__sanitize($this->data); > return true; > } > > 3) So now, your app will run each item of a $this->dataarray > throughsanitize::paranoid() and will strip out everything except alphanumeric > characters. I operate on the basis that you should remove everything > and then create a whitelist of allowed characters for each field in > yourmodel. To do this, in eachmodelcreate a protected array called > $allowedChars as follows: > > protected $allowedChars = array(); > > If you have two fields in yourmodel, lets say an ID and an email, you > would want only numbers in the ID field but the email field should > contain the special characters @, ., -, _. To do this, your > $allowedChars would appear as: > > protected $allowedChars = array('email' => array('@', ',', '.', '-', > '_')); > > Effectively the second array in $allowedChars is the second var of > thesanitize::paranoid function. > > If you look carefully at my __sanitize function you will see there are > some shortcuts, called 'default', 'datetime', 'markdown' and > 'textarea'. These contain pre-written groups of allowed characters. So > for a datetime field (not created or modified, you don't need to do > anything with those) you could write your $allowedChars array as: > > protected $allowedChars = array('date' => array( 'datetime')); > > You can combine characters and shortcuts as well, e.g. > > protected $allowedChars = array('date' => array( 'datetime', '@', > 'markdown', '-', '/')); > > What do people think of that type of approach? One important note, > this does not clean up inputs used for search or filtering and you > would need to call paranoid for those inputs. I am working on a > beforeFind version of the above but it is not so quick. > > HTH, Ianh > > On Mar 24, 7:45 am, "Michael Tuzi" <[EMAIL PROTECTED]> wrote: > > > I thought thatdatacleaning should be done prior to asave, so I > > tried using stripAll in themodelas follows: > > > function beforeSave() > > { > > require_once('sanitize.php'); > > $cleaner = newSanitize(); > > > $profile = $this->data; > > $fields['Profile'] = $this->getColumnTypes(); > > foreach ($fields['Profile'] as $k => $v) > > { > > if (isset($profile['Profile'][$k])) > > { > > if (($v == 'string') || ($v == 'text')) > > { > > $fields['Profile'][$k] = > > $this->RequestHandler->stripAll[$profile['Profile'][$k]]; > > > } > > else > > { > > $fields['Profile'][$k] = $profile['Profile'][$k]; > > } > > } > > else { > > $fields['Profile'][$k] = ''; > > } > > } > > $cleaner->cleanArray($fields); > > } > > > But I get this warning: > > Undefined property: Profile::$RequestHandler, because the components > > array isn't defined in themodel. It's in the controller. Any > > suggestions on how I might move some of this cleaning work out of the > > controller? > > > Thanks in advance, > > > Michael Tuzi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
