Forums

Triming and stripping posted data

menchee 11 Aug, 2009
1) After submitting - are the inputs trimmed?
2) After submitting - are the inputs stripped?
2a) If no - where can I handle the posted inputs before they stored in the databas, and how to refer to them?
2b) If yes - does the script use 'mysql_real_escape_string()' or just 'addslahses()'?
2c) If yes, how can I allow specific characters (html or other)?

Thanks,
Emanuel.
nml375 11 Aug, 2009
Hi Emanuel,
The submitted inputs are retrieved using the JRequest::get() classmethod. This does a limited set of sanity checks on the input data. To alter them, you could use the JRequest::get() and JRequest::set() methods, this could be done in any code segment run before the auto-generated code (serverside validation, before email (if email is enabled), after email (if db storage is done after email).

During the actual database storage, a JTable class matching your database table is used, so the necessary SQL quoting will be done "on-the-fly". As such, any submitted data should be stored to the database safely without being mangled.

Hope this answers your questions.
/Fredrik
menchee 11 Aug, 2009
Thanks Fredrik.
You gave me a direction, though there is still a smoke screen ahead of me...

If I understand you - I shouldn't worry for the stored data since the JTable class takes care of trimming and striping.
If so, what should I do if I want to allow specific html tags?

I still have to take care of the email part (otherwise malicious code might be sent by email).
Should I post new variables (from the serverside validation code) and use them in the email template instead of the {field_name} or should I set the variable with the same name of the field I validated:
JRequest::setVar('email','validated_email','post','string','');

Where 'email' is the field which posted originally?

And - until now I didn't have any success in posting a variable from the serverside validation.
This is the code I tried:

JRequest::setVar('myvar','My own variable','post','string','');

Then in the form html code I tried to detect the 'myvar' using:
JRequest::getVar('myvar','','post')

and also:
echo $_POST['myvar']

But with no success.

What do I miss?
Emanuel.
nml375 11 Aug, 2009
Well, almost..
The JTable class will do the needed escaping/quoting to avoid SQL injections, but it will not care for HTML codes. The data for the db storage is retrieved using JRequest::get('post', ALLOW_RAW), this will simply return a copy of $_POST, so there will be no extended filtering done here.

The syntax for JRequest::setVar() is slightly different from the ::getVar() counterpart. Try something like this:
JRequest::setVar('email', 'validated_email', 'post', true);

True means overwrite previous value. Using false instead would retain the old value.

Hope this clears up some of the fog.
/Fredrik
menchee 11 Aug, 2009
I tried, but with no success.
I also played with the Renew Form Instance On Submit (General tab),but it didn't change.
The new value of the variable doesn't show in the input filed during republish or in the result (I tested it with debug set to ON).

Thanks for taking the time to help and for you patience to detail everything so clearly.
Emanuel.
This topic is locked and no more replies can be posted.