Re: sanitizing data with beforeValidate
Yes - it is for this reason that I call the function in beforeValidate, because an isUnique query using unchanged data which then gets changed is not ideal. My approach with usernames and passwords is to say by the field what characters are not allowed and then confirm what got saved to the DB in a welcome/confirmation email. On Apr 30, 1:02 pm, gmwebs <[EMAIL PROTECTED]> wrote: > Quite a conundrum... If the function is called beforeSave() then the > input is not sanitized before being used for validation. Could be an > issue when using isUnique() as the database is queried at validation > time using unsanitized input data. Could this be a candidate for SQL > injection? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Quite a conundrum... If the function is called beforeSave() then the input is not sanitized before being used for validation. Could be an issue when using isUnique() as the database is queried at validation time using unsanitized input data. Could this be a candidate for SQL injection? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Interesting point. Perhaps it would be better if the function gets called beforeSave() instead? On Apr 30, 12:47 pm, gmwebs <[EMAIL PROTECTED]> wrote: > How would I echo the sanitized input in my form rather than the > unsanitized input? If a user were to input non-alphanumeric characters > in a username on a registration page for instance, the input is > sanitized before validation which means the form validates and the > data is saved, but the user will not know that the username he entered > in has been stripped of non-alpanumeric characters. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
How would I echo the sanitized input in my form rather than the unsanitized input? If a user were to input non-alphanumeric characters in a username on a registration page for instance, the input is sanitized before validation which means the form validates and the data is saved, but the user will not know that the username he entered in has been stripped of non-alpanumeric characters. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
No worries - let me know how the function works out for you and any improvements you think might be warranted. Ian On Apr 30, 11:01 am, gmwebs <[EMAIL PROTECTED]> wrote: > Thanks Ian... > > I had the return true in the beforeValidate() but I was trying > something in beforeSave() and had neglected to put the return true in > there. It works fine now. > > Regards, > > Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Thanks Ian... I had the return true in the beforeValidate() but I was trying something in beforeSave() and had neglected to put the return true in there. It works fine now. Regards, Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Hi Graham - thanks for giving the function a whirl. If you can still
see the data after sanitization then the most obvious thing to ask is
are you calling it correctly? It must look like this:
function beforeValidate()
{
$this->__sanitize($this->data);
return true;
}
It is vital that the beforeValidate includes a return true statement
otherwise the save thinks validation has failed. If return true is
there are the thing still failes then you could break up your save
into components to find which bit fails like this (for 1.1.x only):
if($this->{$this->modelClass}->validates($this->data)) {
if($this->{$this->modelClass}->save($this->data)) {
echo "everything A Ok!";
} else {
echo "save failed";
}
} else {
echo "validation failed";
}
Let me know what happens or paste up your code somewhere
(pastebin.co.uk) and I will take a look for you.
Cheers, Ian
On Apr 29, 10:45 pm, gmwebs <[EMAIL PROTECTED]> wrote:
> Hi Ian,
>
> I had a go using your __sanitize() function and while the actual
> sanitization is working, I don't seem to be able to save my model. If
> I view the input before calling __sanitize() in beforeValidate() and
> then after, it proves that the inputs are sanitized just as expected.
> Unfortunately the Model->save() fails after the __sanitize call and I
> can't seem to find where/how it is failing. If I remove the
> __sanitize() call then it saves perfectly (with clean inputs of
> course). I know it's a long shot, but do you have any ideas why this
> could be?
>
> Regards,
>
> Graham
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Hi Ian, I had a go using your __sanitize() function and while the actual sanitization is working, I don't seem to be able to save my model. If I view the input before calling __sanitize() in beforeValidate() and then after, it proves that the inputs are sanitized just as expected. Unfortunately the Model->save() fails after the __sanitize call and I can't seem to find where/how it is failing. If I remove the __sanitize() call then it saves perfectly (with clean inputs of course). I know it's a long shot, but do you have any ideas why this could be? Regards, Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
http://pastebin.co.uk/13204
Usage:
Place method in your app_model and call with the beforeValidate
callback also placed in your app_model
function beforeValidate()
{
$this->__sanitize($this->data);
return true;
}
In every model of your app include the var $allowedChars = array(); In
this array name any fields for which special characters must be
allowed adn what those special characters are. The method includes
some "shortcuts" and you can combine multiple shortcuts etc to get the
desired outcome.
Differences from usage guidelines in my previous post are:
1) You can flag a field to be ignored (will be returned without being
passed through Sanitize::paranoid - essential for file uploads!
2) A "serialized" shortcut has been introduced that automatically
inserts all the characters you need for a serialized field into the
paranoid function.
Simple usage example:
var $allowedChars = array('emailfield' => array('.', '@', '-', '_'));
Complex usage example:
var $allowedChars = array('emailfield' => array('default'),
'descriptionfield' => array('default', 'textarea', 'markdown', '|'));
Shortcuts are:
default = basic chars used in most text fields including spaces,
punctuation etc;
datetime = basic chars used in datetime fields (' ', '-', ':')
textarea = allows line breaks to be passed through
markdown = for use when using markdown markup in your fields (nothing
avaialble for textile Im afraid)
serialized = for use when trying to save a set of serialized data.
Special shortcut
Ignore = doesnt send the field through paranoid and returns it "as
is". So far I have used that only for file upload fields.
Warnings:
Because of the way this method is called it will onyl work when saving
data and when the data validation callback is called. It will not work
when using inputs to search the database and it will not work if
beforeValidate is not called (e.g. saveField method by default does
not call beforeValidate). All use is entirely at your own risk I'm
afraid...
Let me know what you think or any improvements you can come up with.
Ian
On Apr 18, 7:20 pm, Poncho <[EMAIL PROTECTED]> wrote:
> Hey Ian,
>
> That code looks pretty nice, could you post the newer version you
> mentioned?
>
> Cheers;
> Poncho
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Hey Ian,
That code looks pretty nice, could you post the newer version you
mentioned?
Cheers;
Poncho
On Apr 15, 2:41 pm, "ianh" <[EMAIL PROTECTED]> wrote:
> There is
> this:http://groups.google.co.uk/group/cake-php/browse_thread/thread/6257c7...
> which gives a method you could work from. I have developed it a little
> more since, so if that look useful let me know and I will paste up a
> newer version somewhere. Ianh
>
> On 15 Apr, 04:29, "Poncho" <[EMAIL PROTECTED]> wrote:
>
> > Hello all,
>
> > I'm trying to automaticallysanitizeand reformat phone and fax
> > numbers, so I knocked these model methods together but Ican't seem to
> > get it working.
>
> > function formatPhoneNumbers()
> > {
> > if(isset($this->data[$this->name]) &&
> > count($this->data[$this->name])) {
>
> > $this->log('$this->data['.$this->name.'] is set and is not
> > empty');
> > foreach($this->data[$this->name] as $key => $value )
> > {
> > if(strpos($key, 'phone') || strpos($key, 'fax')) {
> > $this->formatPhone($key);
> > $this->log("{$key} is being reformatted");
> > }
> > }
> > }
> > else
> > {
> > $this->log('$this->data['.$this->name.'] is not set or is
> > empty');
> > }
> > return true;
>
> > }
>
> > function formatPhone($field=null)
> > {
> > if(isset($this->data[$this->name][$field]) &&
> > !empty($this->data[$this->name][$field])) {
>
> > $this->data[$this->name][$field] =
> > preg_replace('/[^0-9]/i', '',
> > $this->data[$this->name][$field]);
> > }
> > return true;
>
> > }
>
> > This is to be used for all forms, so I put the methods in AppModel and
> > call them withbeforeValidatelike so:
>
> > functionbeforeValidate()
> > {
> > $this->formatPhoneNumbers();
> > return true;
>
> > }
>
> > Unfortunately, when I run the form with some data (with fields such as
> > 'daytime_phone', 'evening_phone', 'fax'), the form is repopulated with
> > the data without being reformatted and I get the following message
> > logged:
>
> > 2007-04-15 12:20:09 Error: $this->data[Award] is not set or is empty
>
> > Any help would be greatly appreciated, I may have just overlooked
> > something.
>
> > Cheers;
> > Poncho
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
There is this:
http://groups.google.co.uk/group/cake-php/browse_thread/thread/6257c749081c4adc/01514bd32d4055ab?lnk=gst&q=sanitize+beforeValidate&rnum=2&hl=en#01514bd32d4055ab
which gives a method you could work from. I have developed it a little
more since, so if that look useful let me know and I will paste up a
newer version somewhere. Ianh
On 15 Apr, 04:29, "Poncho" <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm trying to automaticallysanitizeand reformat phone and fax
> numbers, so I knocked these model methods together but Ican't seem to
> get it working.
>
> function formatPhoneNumbers()
> {
> if(isset($this->data[$this->name]) &&
> count($this->data[$this->name])) {
>
> $this->log('$this->data['.$this->name.'] is set and is not
> empty');
> foreach($this->data[$this->name] as $key => $value )
> {
> if(strpos($key, 'phone') || strpos($key, 'fax')) {
> $this->formatPhone($key);
> $this->log("{$key} is being reformatted");
> }
> }
> }
> else
> {
> $this->log('$this->data['.$this->name.'] is not set or is
> empty');
> }
> return true;
>
> }
>
> function formatPhone($field=null)
> {
> if(isset($this->data[$this->name][$field]) &&
> !empty($this->data[$this->name][$field])) {
>
> $this->data[$this->name][$field] = preg_replace('/[^0-9]/i',
> '',
> $this->data[$this->name][$field]);
> }
> return true;
>
> }
>
> This is to be used for all forms, so I put the methods in AppModel and
> call them withbeforeValidatelike so:
>
> functionbeforeValidate()
> {
> $this->formatPhoneNumbers();
> return true;
>
> }
>
> Unfortunately, when I run the form with some data (with fields such as
> 'daytime_phone', 'evening_phone', 'fax'), the form is repopulated with
> the data without being reformatted and I get the following message
> logged:
>
> 2007-04-15 12:20:09 Error: $this->data[Award] is not set or is empty
>
> Any help would be greatly appreciated, I may have just overlooked
> something.
>
> Cheers;
> Poncho
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
