Chronoforms seems to have a problem reading dynamic Input field names for CURL. i.e. In my form I have:
<input type="hidden" name="listname[<?php echo $rows[$i]->id; ?>]" value="<?php echo $rows[$i]->name; ?>">
However, in Chronoform under "Field names from your form", my field name is not listed. I could not figure out how to get this to work, so I ended up working around it by modifying com_chronocontact/plugins/cf_CURL.php:
Comment out the following (around line 257):
/* if ( trim($row->extra2) ) {
$extras2 = explode("\n", $row->extra2);
foreach ( $extras2 as $extra2 ) {
$values = array();
$values = explode( "=", $extra2 );
if ( $values[1] ) {
$v = urlencode(trim($values[1]));
$curl_values[$v] = JRequest::getVar(trim($values[0]), '', 'post', 'string', '');
}
}
}
*/
Then replace with:
$curl_values =&$_POST;
This way the field names are gathered from the $_POST array which accurately includes the dynamic field names making the "Field names from your form" section of Chronoforms unnecessary and unused. However, the "Extra fields Data" box is still used if needed.
<input type="hidden" name="listname[<?php echo $rows[$i]->id; ?>]" value="<?php echo $rows[$i]->name; ?>">
However, in Chronoform under "Field names from your form", my field name is not listed. I could not figure out how to get this to work, so I ended up working around it by modifying com_chronocontact/plugins/cf_CURL.php:
Comment out the following (around line 257):
/* if ( trim($row->extra2) ) {
$extras2 = explode("\n", $row->extra2);
foreach ( $extras2 as $extra2 ) {
$values = array();
$values = explode( "=", $extra2 );
if ( $values[1] ) {
$v = urlencode(trim($values[1]));
$curl_values[$v] = JRequest::getVar(trim($values[0]), '', 'post', 'string', '');
}
}
}
*/
Then replace with:
$curl_values =&$_POST;
This way the field names are gathered from the $_POST array which accurately includes the dynamic field names making the "Field names from your form" section of Chronoforms unnecessary and unused. However, the "Extra fields Data" box is still used if needed.
Hi,
this is nice, but the problem is what if somebody inserted some field to the form HTML and sent it with other data, sometimes this may be harmful... like a new variable to make a delete operation or whatever!
Regards,
Max
this is nice, but the problem is what if somebody inserted some field to the form HTML and sent it with other data, sometimes this may be harmful... like a new variable to make a delete operation or whatever!
Regards,
Max
Hi Max,
I'm not sure I understand the issue you are describing?
Since the CURL function targets an existing form with existing functionality, the target form should only use variables that it expects. Any variables that are sent with CURL should be available in the original form anyway therefore I'm not seeing how this could lead to any problems?
Thanks.
I'm not sure I understand the issue you are describing?
Since the CURL function targets an existing form with existing functionality, the target form should only use variables that it expects. Any variables that are sent with CURL should be available in the original form anyway therefore I'm not seeing how this could lead to any problems?
Thanks.
Hi Kmonsefi,
I think that Max is talking about the submitted values rather than the field names. Your hack leaves them unfiltered.
I'll see if I can think of a way to build this into the plugins for a future release.
Bob
I think that Max is talking about the submitted values rather than the field names. Your hack leaves them unfiltered.
I'll see if I can think of a way to build this into the plugins for a future release.
Bob
Hi,
say that you are not talking with your own form, but to a payment gateway, which when you set a parameter called "refund" and "order_id" it will refund it, now I can insert 2 fields in your form and set their values and your form will talk to the payment gateway and refund the orders, but if your target form is limited and only expects few specific variables then you are fine, you have control over the 2 sides so you may secure it at the either one!
Regards
Max
say that you are not talking with your own form, but to a payment gateway, which when you set a parameter called "refund" and "order_id" it will refund it, now I can insert 2 fields in your form and set their values and your form will talk to the payment gateway and refund the orders, but if your target form is limited and only expects few specific variables then you are fine, you have control over the 2 sides so you may secure it at the either one!
Regards
Max
This topic is locked and no more replies can be posted.
