Re: sanitizing data with beforeValidate
Yes - it is for this reason that I call the function in beforeValidate, because an isUnique query using unchanged data which then gets changed is not ideal. My approach with usernames and passwords is to say by the field what characters are not allowed and then confirm what got saved to the DB in a welcome/confirmation email. On Apr 30, 1:02 pm, gmwebs <[EMAIL PROTECTED]> wrote: > Quite a conundrum... If the function is called beforeSave() then the > input is not sanitized before being used for validation. Could be an > issue when using isUnique() as the database is queried at validation > time using unsanitized input data. Could this be a candidate for SQL > injection? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Quite a conundrum... If the function is called beforeSave() then the input is not sanitized before being used for validation. Could be an issue when using isUnique() as the database is queried at validation time using unsanitized input data. Could this be a candidate for SQL injection? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Interesting point. Perhaps it would be better if the function gets called beforeSave() instead? On Apr 30, 12:47 pm, gmwebs <[EMAIL PROTECTED]> wrote: > How would I echo the sanitized input in my form rather than the > unsanitized input? If a user were to input non-alphanumeric characters > in a username on a registration page for instance, the input is > sanitized before validation which means the form validates and the > data is saved, but the user will not know that the username he entered > in has been stripped of non-alpanumeric characters. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
How would I echo the sanitized input in my form rather than the unsanitized input? If a user were to input non-alphanumeric characters in a username on a registration page for instance, the input is sanitized before validation which means the form validates and the data is saved, but the user will not know that the username he entered in has been stripped of non-alpanumeric characters. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
No worries - let me know how the function works out for you and any improvements you think might be warranted. Ian On Apr 30, 11:01 am, gmwebs <[EMAIL PROTECTED]> wrote: > Thanks Ian... > > I had the return true in the beforeValidate() but I was trying > something in beforeSave() and had neglected to put the return true in > there. It works fine now. > > Regards, > > Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Thanks Ian... I had the return true in the beforeValidate() but I was trying something in beforeSave() and had neglected to put the return true in there. It works fine now. Regards, Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Hi Graham - thanks for giving the function a whirl. If you can still see the data after sanitization then the most obvious thing to ask is are you calling it correctly? It must look like this: function beforeValidate() { $this->__sanitize($this->data); return true; } It is vital that the beforeValidate includes a return true statement otherwise the save thinks validation has failed. If return true is there are the thing still failes then you could break up your save into components to find which bit fails like this (for 1.1.x only): if($this->{$this->modelClass}->validates($this->data)) { if($this->{$this->modelClass}->save($this->data)) { echo "everything A Ok!"; } else { echo "save failed"; } } else { echo "validation failed"; } Let me know what happens or paste up your code somewhere (pastebin.co.uk) and I will take a look for you. Cheers, Ian On Apr 29, 10:45 pm, gmwebs <[EMAIL PROTECTED]> wrote: > Hi Ian, > > I had a go using your __sanitize() function and while the actual > sanitization is working, I don't seem to be able to save my model. If > I view the input before calling __sanitize() in beforeValidate() and > then after, it proves that the inputs are sanitized just as expected. > Unfortunately the Model->save() fails after the __sanitize call and I > can't seem to find where/how it is failing. If I remove the > __sanitize() call then it saves perfectly (with clean inputs of > course). I know it's a long shot, but do you have any ideas why this > could be? > > Regards, > > Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Hi Ian, I had a go using your __sanitize() function and while the actual sanitization is working, I don't seem to be able to save my model. If I view the input before calling __sanitize() in beforeValidate() and then after, it proves that the inputs are sanitized just as expected. Unfortunately the Model->save() fails after the __sanitize call and I can't seem to find where/how it is failing. If I remove the __sanitize() call then it saves perfectly (with clean inputs of course). I know it's a long shot, but do you have any ideas why this could be? Regards, Graham --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
http://pastebin.co.uk/13204 Usage: Place method in your app_model and call with the beforeValidate callback also placed in your app_model function beforeValidate() { $this->__sanitize($this->data); return true; } In every model of your app include the var $allowedChars = array(); In this array name any fields for which special characters must be allowed adn what those special characters are. The method includes some "shortcuts" and you can combine multiple shortcuts etc to get the desired outcome. Differences from usage guidelines in my previous post are: 1) You can flag a field to be ignored (will be returned without being passed through Sanitize::paranoid - essential for file uploads! 2) A "serialized" shortcut has been introduced that automatically inserts all the characters you need for a serialized field into the paranoid function. Simple usage example: var $allowedChars = array('emailfield' => array('.', '@', '-', '_')); Complex usage example: var $allowedChars = array('emailfield' => array('default'), 'descriptionfield' => array('default', 'textarea', 'markdown', '|')); Shortcuts are: default = basic chars used in most text fields including spaces, punctuation etc; datetime = basic chars used in datetime fields (' ', '-', ':') textarea = allows line breaks to be passed through markdown = for use when using markdown markup in your fields (nothing avaialble for textile Im afraid) serialized = for use when trying to save a set of serialized data. Special shortcut Ignore = doesnt send the field through paranoid and returns it "as is". So far I have used that only for file upload fields. Warnings: Because of the way this method is called it will onyl work when saving data and when the data validation callback is called. It will not work when using inputs to search the database and it will not work if beforeValidate is not called (e.g. saveField method by default does not call beforeValidate). All use is entirely at your own risk I'm afraid... Let me know what you think or any improvements you can come up with. Ian On Apr 18, 7:20 pm, Poncho <[EMAIL PROTECTED]> wrote: > Hey Ian, > > That code looks pretty nice, could you post the newer version you > mentioned? > > Cheers; > Poncho --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
Hey Ian, That code looks pretty nice, could you post the newer version you mentioned? Cheers; Poncho On Apr 15, 2:41 pm, "ianh" <[EMAIL PROTECTED]> wrote: > There is > this:http://groups.google.co.uk/group/cake-php/browse_thread/thread/6257c7... > which gives a method you could work from. I have developed it a little > more since, so if that look useful let me know and I will paste up a > newer version somewhere. Ianh > > On 15 Apr, 04:29, "Poncho" <[EMAIL PROTECTED]> wrote: > > > Hello all, > > > I'm trying to automaticallysanitizeand reformat phone and fax > > numbers, so I knocked these model methods together but Ican't seem to > > get it working. > > > function formatPhoneNumbers() > > { > > if(isset($this->data[$this->name]) && > > count($this->data[$this->name])) { > > > $this->log('$this->data['.$this->name.'] is set and is not > > empty'); > > foreach($this->data[$this->name] as $key => $value ) > > { > > if(strpos($key, 'phone') || strpos($key, 'fax')) { > > $this->formatPhone($key); > > $this->log("{$key} is being reformatted"); > > } > > } > > } > > else > > { > > $this->log('$this->data['.$this->name.'] is not set or is > > empty'); > > } > > return true; > > > } > > > function formatPhone($field=null) > > { > > if(isset($this->data[$this->name][$field]) && > > !empty($this->data[$this->name][$field])) { > > > $this->data[$this->name][$field] = > > preg_replace('/[^0-9]/i', '', > > $this->data[$this->name][$field]); > > } > > return true; > > > } > > > This is to be used for all forms, so I put the methods in AppModel and > > call them withbeforeValidatelike so: > > > functionbeforeValidate() > > { > > $this->formatPhoneNumbers(); > > return true; > > > } > > > Unfortunately, when I run the form with some data (with fields such as > > 'daytime_phone', 'evening_phone', 'fax'), the form is repopulated with > > the data without being reformatted and I get the following message > > logged: > > > 2007-04-15 12:20:09 Error: $this->data[Award] is not set or is empty > > > Any help would be greatly appreciated, I may have just overlooked > > something. > > > Cheers; > > Poncho --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitizing data with beforeValidate
There is this: http://groups.google.co.uk/group/cake-php/browse_thread/thread/6257c749081c4adc/01514bd32d4055ab?lnk=gst&q=sanitize+beforeValidate&rnum=2&hl=en#01514bd32d4055ab which gives a method you could work from. I have developed it a little more since, so if that look useful let me know and I will paste up a newer version somewhere. Ianh On 15 Apr, 04:29, "Poncho" <[EMAIL PROTECTED]> wrote: > Hello all, > > I'm trying to automaticallysanitizeand reformat phone and fax > numbers, so I knocked these model methods together but Ican't seem to > get it working. > > function formatPhoneNumbers() > { > if(isset($this->data[$this->name]) && > count($this->data[$this->name])) { > > $this->log('$this->data['.$this->name.'] is set and is not > empty'); > foreach($this->data[$this->name] as $key => $value ) > { > if(strpos($key, 'phone') || strpos($key, 'fax')) { > $this->formatPhone($key); > $this->log("{$key} is being reformatted"); > } > } > } > else > { > $this->log('$this->data['.$this->name.'] is not set or is > empty'); > } > return true; > > } > > function formatPhone($field=null) > { > if(isset($this->data[$this->name][$field]) && > !empty($this->data[$this->name][$field])) { > > $this->data[$this->name][$field] = preg_replace('/[^0-9]/i', > '', > $this->data[$this->name][$field]); > } > return true; > > } > > This is to be used for all forms, so I put the methods in AppModel and > call them withbeforeValidatelike so: > > functionbeforeValidate() > { > $this->formatPhoneNumbers(); > return true; > > } > > Unfortunately, when I run the form with some data (with fields such as > 'daytime_phone', 'evening_phone', 'fax'), the form is repopulated with > the data without being reformatted and I get the following message > logged: > > 2007-04-15 12:20:09 Error: $this->data[Award] is not set or is empty > > Any help would be greatly appreciated, I may have just overlooked > something. > > Cheers; > Poncho --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [EMAIL PROTECTED] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---