Phalcon形式消毒
[英]Phalcon form sanitize
问题描述
Is there a way in which one can filter data that is auto-completed in a form generated by VOLT.
有没有一种方法可以过滤以VOLT生成的形式自动完成的数据。 Consider the login form: Email/password. 考虑以下登录形式:电子邮件/密码。 When I edit the HTML (in the broser) and send the email as an array (' name="email[] ") I can sanitize it in PHP and 'cast' as en email : 当我编辑HTML(在浏览器中)并以数组形式发送电子邮件(“ name =“ email [] ”)时, 我可以在PHP中对其进行清理,并以“ cast”作为电子邮件 :
$loginEmail = $this->request->getPost("email",'string');
$loginEmail = $this->filter->sanitize($loginEmail, "email");
in order to prevent other attacks. 为了防止其他攻击。 But when making the email field an array VOLT generates an error: 但是,当使电子邮件字段成为数组时,VOLT会产生错误:
"Notice: Array to string conversion in ..."
VOLT form values are populated automatically... VOLT表单值会自动填充...
I know I should disable NOTICES in production but still... 我知道我应该在生产中禁用通知,但仍然...
How can I treat this by using VOLT? 如何使用VOLT进行处理?
EDIT Template sample: 编辑模板示例:
{{ text_field('id':"email","class":"form-control", "size": 32,"placeholder":'Email address') }}
After a var_dump and setting the email string through validation I get at a certain point: 经过var_dump并通过验证设置电子邮件字符串后,我得到了以下几点:
protected '_viewParams' =>
array (size=5)
'title' => string 'Test' (length=5)
'showSlider' => boolean true
'hideUnlogged' => boolean true
'user' => null
'email' => boolean false
BUT the variables are sent to VOLT in an upper layer because it is still set as an ARRAY. 但由于变量仍设置为ARRAY,因此将变量发送到上层的VOLT。
The only viable solution is to make an object or something and get from a config what validation rules to apply to forms (by name) and rewrite the post variable in public/index.php something like this: 唯一可行的解决方案是制作一个对象或某物,并从配置中获取要应用于表单的验证规则(按名称),并在public / index.php中重写post变量,如下所示:
if(isset($_POST['email']))
{
$_POST['email'] = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
}
If anyone has a better solution in which this can be done in a controller rather that this or in a service with event handlers... 如果有人有更好的解决方案,可以在控制器中完成此任务,而不是在具有事件处理程序的服务中完成...
1 个解决方案
解决方案1
2 已采纳 2014-08-28 21:23:48
You can do anything you wish by implementing a custom filter and doing a proper conversion from array to string. 您可以通过实现自定义过滤器并进行从数组到字符串的正确转换来完成任何您想做的事情。
$filter = new \Phalcon\Filter();
//Using an anonymous function
$filter->add('superSanitisedString', function($value) {
if (is_array($value)) {
$value = empty($value) ? '' : reset($value);
}
return (string) $value;
});
//Sanitize with the "superSanitisedString" filter
$filtered = $filter->sanitize($possibleArray, "superSanitisedString");
But… don't bend the stick too much – this is a clear validation job and then sanitisation. 但是……不要过度弯曲棍子–这是一项明确的验证工作,然后进行消毒。 Check that the value is a string, if not – ask to provide one. 检查该值是否为字符串(如果不是)–请提供一个。 It's easier and smarter to protect your app from invalid inputs than from idiots who provide that input :) 保护您的应用程序免受无效输入的攻击比提供这些输入的白痴更容易和更聪明:)
Edit: 编辑:
You can use a custom volt filter which can be added as a service, implement a class with a static method to return the sanitized value and use it in the template. 您可以使用可以作为服务添加的自定义伏特滤波器,使用静态方法实现一个类以返回经过净化的值,并在模板中使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.