I am new to Chronoforms and serverside form validation in general.
I am using Chronoforms v4 on Joomla 2.5.7
I have created a form with fields including name(textbox), email(textbox), phone(textbox) and comment(textarea).
I have applied auto serverside validation for name(alpha), email(email) and phone(phone) quite easily but there doesn't appear to be any auto serverside validation suitable for a textarea field.
Questions:
1. Does Chronoforms v4 do any server filtering/sanitization/validation on textarea fields by default?
2. If not, is there a standard custom serverside filtering/sanitization/validation script for textareas that people use.
3. Could someone please provide example code. The textarea just needs to be able to accept alpha, numbers and common characters used in sentences such as commas, full stops, question marks, etc. All html, javascript, php, malicious code, etc should be deleted.
Thanks in advance
I am using Chronoforms v4 on Joomla 2.5.7
I have created a form with fields including name(textbox), email(textbox), phone(textbox) and comment(textarea).
I have applied auto serverside validation for name(alpha), email(email) and phone(phone) quite easily but there doesn't appear to be any auto serverside validation suitable for a textarea field.
Questions:
1. Does Chronoforms v4 do any server filtering/sanitization/validation on textarea fields by default?
2. If not, is there a standard custom serverside filtering/sanitization/validation script for textareas that people use.
3. Could someone please provide example code. The textarea just needs to be able to accept alpha, numbers and common characters used in sentences such as commas, full stops, question marks, etc. All html, javascript, php, malicious code, etc should be deleted.
Thanks in advance
Hi danielrt9,
To implement them in ChronoForm use either the Serverside Validation action (if you want the ability to handle errors) or the Custom Code action if you just want to sanitize.
With sanitization, you have a choice of approaches; you can either (a) accept the values that ChronoForms has loaded into the $form->data array; or (b) you can re-load directly from the $_POST array and over-write the ChronoForms values in the $form->data array. The main difference is that (a) requires you to use the PHP sanitisers but protects any previous processing that may have been done while (b) allows you to use the Joomla! methods. In most cases (b) is simpler and equally effective.
The Joomla! methods take the general form
The input name is the name of the form input (or the URL query string entry). It is the only required parameter.
The default value will be used if there is no input with the specified input name and source.
The source will usually be 'post' (though 'get' and 'cookie' are also available). If you leave this empty then any source with a value will be used.
The type specifies the kind of data that is expected and hence the sanitisation that will be applied. Values are: INT or INTEGER, FLOAT, DOUBLE, BOOL or BOOLEAN, WORD, ALNUM, CMD, BASE64, STRING, ARRAY, PATH, USERNAME
There is a shortcut to using the most common types by using JRequest::getInt(), JRequest::getString(), etc. instead of JRequest::getVar().
Lastly the Filter Masks are: JREQUEST_NOTRIM - prevents trimming of whitespace; JREQUEST_ALLOWRAW - bypasses filtering; JREQUEST_ALLOWHTML - allows most HTML.
If JREQUEST_ALLOWHTML is not passed in, HTML is stripped out by default.
So, here are some examples:
Note: mostly from the Joomla! docs here
FYI: ChronoForms uses
If you want to use the PHP approach the docs on Sanitize and Validate filters are here
Bob
Bob
1. Does Chronoforms v4 do any server filtering/sanitization/validation on textarea fields by default?
No, none at all. This has pluses and minuses. On the minus side, there is a risk of corrupt, unwanted or malicious content being posted. On the plus side, as a user you can choose to accept any content you want without ChronoForms messing it up.2. If not, is there a standard custom serverside filtering/sanitization/validation script for textareas that people use.
PHP has come quite good filters and sanitizers available and Joomla! has many of them available as methods.To implement them in ChronoForm use either the Serverside Validation action (if you want the ability to handle errors) or the Custom Code action if you just want to sanitize.
With sanitization, you have a choice of approaches; you can either (a) accept the values that ChronoForms has loaded into the $form->data array; or (b) you can re-load directly from the $_POST array and over-write the ChronoForms values in the $form->data array. The main difference is that (a) requires you to use the PHP sanitisers but protects any previous processing that may have been done while (b) allows you to use the Joomla! methods. In most cases (b) is simpler and equally effective.
The Joomla! methods take the general form
JRequest::getVar('input_name', 'default_value', 'source', 'type', 'mask');The input name is the name of the form input (or the URL query string entry). It is the only required parameter.
The default value will be used if there is no input with the specified input name and source.
The source will usually be 'post' (though 'get' and 'cookie' are also available). If you leave this empty then any source with a value will be used.
The type specifies the kind of data that is expected and hence the sanitisation that will be applied. Values are: INT or INTEGER, FLOAT, DOUBLE, BOOL or BOOLEAN, WORD, ALNUM, CMD, BASE64, STRING, ARRAY, PATH, USERNAME
There is a shortcut to using the most common types by using JRequest::getInt(), JRequest::getString(), etc. instead of JRequest::getVar().
Lastly the Filter Masks are: JREQUEST_NOTRIM - prevents trimming of whitespace; JREQUEST_ALLOWRAW - bypasses filtering; JREQUEST_ALLOWHTML - allows most HTML.
If JREQUEST_ALLOWHTML is not passed in, HTML is stripped out by default.
So, here are some examples:
<?php
$form->data['some_integer'] = JRequest::getInt('some_integer', 0);
$form->data['some_string'] = JRequest::getString('some_string', 'empty', 'post');
$form->data[some_textarea'] = JRequest::getString('some_textarea', '', 'post');
?>Note: mostly from the Joomla! docs here
FYI: ChronoForms uses
$form->data = JRequest::get('post', JREQUEST_ALLOWRAW))If you want to use the PHP approach the docs on Sanitize and Validate filters are here
Bob
Bob
Hi Greyhead
Thanks for the detailed response.
Could you please provide an example script using the Joomla methods and the Serverside Validation action with error handling.
Thanks
Thanks for the detailed response.
Could you please provide an example script using the Joomla methods and the Serverside Validation action with error handling.
Thanks
Hi danielrt9,
What exactly do you want to validate and what do you want to happen when there is an error or a failure?
Bob
What exactly do you want to validate and what do you want to happen when there is an error or a failure?
Bob
Hi Greyhead
I was thinking along the lines of how auto serverside validation works, that is, when the input is invalid an error message is displayed at the top of the form informing the user what type of data is acceptable. Basically I would like the user to be able to input a-z, A-Z, 0-9 and $?@.,
Would it be possible to do a validation for this? The error message could just state something like
Please let me know if you think I'm approaching this in the wrong way.
Do you think the above validation would be secure? Would I also need to use the getString() method?
Thanks for your help.
I was thinking along the lines of how auto serverside validation works, that is, when the input is invalid an error message is displayed at the top of the form informing the user what type of data is acceptable. Basically I would like the user to be able to input a-z, A-Z, 0-9 and $?@.,
Would it be possible to do a validation for this? The error message could just state something like
You may only use the following characters a-z, A-Z, 0-9 and $?@.,Please let me know if you think I'm approaching this in the wrong way.
Do you think the above validation would be secure? Would I also need to use the getString() method?
Thanks for your help.
Hi
Here's the basic code to use in a Custom Serverside Validation action to do that. This version checks both that the input has a value and that the value includes only the permitted characters.
Bob
Here's the basic code to use in a Custom Serverside Validation action to do that. This version checks both that the input has a value and that the value includes only the permitted characters.
<?php
// validate required
if ( !isset($form->data['input_name']) || trim($form->data['input_name']) == '' ) {
form->validation_errors['input_name'] == 'Input name is required';
return false;
}
// validate character set
$form->data['input_name'] = trim($form->data['input_name']);
if ( !preg_match('/^[a-z0-9$?@.,]+$/im', $form->data['input_name']) ) {[
form->validation_errors['input_name'] == 'You may only use the following characters a-z, A-Z, 0-9 and $?@. in Input name';
return false;
}
?>Bob
This topic is locked and no more replies can be posted.
