Received: by 10.50.153.230 with SMTP id vj6mr58307igb.3.1352414919579;
Thu, 08 Nov 2012 14:48:39 -0800 (PST)
X-BeenThere: propel-users@googlegroups.com
Received: by 10.42.200.203 with SMTP id ex11ls2673604icb.6.gmail; Thu, 08 Nov
2012 14:48:38 -0800 (PST)
Received: by 10.42.98.129 with SMTP id s1mr5709323icn.0.1352414918653;
Thu, 08 Nov 2012 14:48:38 -0800 (PST)
Received: by 10.42.98.129 with SMTP id s1mr5709321icn.0.1352414918626;
Thu, 08 Nov 2012 14:48:38 -0800 (PST)
Return-Path: <mur...@focus-computing.com.au>
Received: from mail-ie0-f175.google.com (mail-ie0-f175.google.com [209.85.223.175])
by gmr-mx.google.com with ESMTPS id s15si868695igi.1.2012.11.08.14.48.37
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 08 Nov 2012 14:48:37 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.223.175 is neither permitted nor denied by best guess record for domain of mur...@focus-computing.com.au) client-ip=209.85.223.175;
Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 209.85.223.175 is neither permitted nor denied by best guess record for domain of mur...@focus-computing.com.au) smtp.mail=mur...@focus-computing.com.au
Received: by mail-ie0-f175.google.com with SMTP id c13so5311445ieb.20
for <propel-users@googlegroups.com>; Thu, 08 Nov 2012 14:48:37 -0800 (PST)
d=google.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type:x-gm-message-state;
bh=zB/EBHpAbIsx5dbZv2TqXo/hpjTtydajXCNfmQMvtgA=;
b=gTInd+kvxS90nIVLTkA10BNT6l9DHoBACv4kqsQxJkqVBdm9DxU+t8wdWa146DFLvK
CyCfkZSq53wnDAHKsVxuJ0U9IrSdASPrxab/AhOD/7L/SVxQZNNysDWM6eRXLzhSpP2I
FNIyKZPnzEpvgR6iCjAbMKZ+a7iUHQ9h1DDpUo000EwMsloLGU7jVV1SO6IMUfKCVj4J
tu5v5g5hb6yAXOxu00m8G5QCLN6+FtYVaHzHeZp391vLaN0qPM65Si7IOGtRnCIlhB1T
+ipmIiUl7UhdmlVzqdvDJV1X3dmcmXub3QXllI/fV6iFMhEZdRWV0rgcrJ5/l/k3kH7X
UB7A==
MIME-Version: 1.0
Received: by 10.50.158.201 with SMTP id ww9mr29681igb.22.1352414917790; Thu,
08 Nov 2012 14:48:37 -0800 (PST)
Received: by 10.64.52.70 with HTTP; Thu, 8 Nov 2012 14:48:37 -0800 (PST)
In-Reply-To: <fbf72828-aebc-4ccd-8d75-8469f6869d06@googlegroups.com>
References: <09523306-1a6d-4f10-89d3-198917d4842b@googlegroups.com>
<CAO_dYhtCzmk3fj7-ouFzxOJd++fUZ8mSG5PMvs2NSa2og+L...@mail.gmail.com>
<fbf72828-aebc-4ccd-8d75-8469f6869d06@googlegroups.com>
Date: Fri, 9 Nov 2012 08:48:37 +1000
Message-ID: <CANgJ9eT-GEUrDnztim0Vdau3zgUxvofR_CpR7DiCR2scHN8...@mail.gmail.com>
Subject: Re: [propel] Is there shorter syntax than this for saving the results
of a $_POST ?
From: Murray Collingwood <mur...@focus-computing.com.au>
To: "propel-users@googlegroups.com" <propel-users@googlegroups.com>
Content-Type: multipart/alternative; boundary=14dae934063dc38a7804ce03a24f
X-Gm-Message-State: ALoCoQk1Bz61TthrKFtfCrqI4QSK0pbzOUVCQ4goBF+6lfc9JSL3WH7KkdJ3qg4fCWzmFyNPV2qk
--14dae934063dc38a7804ce03a24f
Content-Type: text/plain; charset=ISO-8859-1
FYI I have a function like this that I use for processing these requests.
I refer here to a "form_prefix" - this is something like "gm_" and all of
the parameters that start with this prefix I then look for fieldnames.
I've also standardised all date fields begin with the text "date", all
date/time fields begin with "time" and if it's just a time field it begins
with "hm".
I've also decided that any blank entry is automatically changed to a null,
and values of "true" and "false" (as strings) become booleans.
foreach ($_REQUEST as $parm => $value) {
if (substr($parm, 0, $prefixlength) == $gmform->form_prefix) {
$fieldname = substr($parm, $prefixlength);
if (array_search($fieldname, $fieldlist) !== false) {
$setfield = "set" . ucfirst($fieldname);
if (substr($setfield,0,7) == "setDate")
$value = format_mydate($value);
else if (substr($setfield,0,7) == "setTime")
$value = format_mytime($value);
else if (substr($setfield,0,5) == "setHm")
$value = format_myhhmm($value);
if ($value === "")
$value = null;
else if ($value === "true")
$value = true;
else if ($value === "false")
$value = false;
$obj->$setfield($value);
}
}
}
HTH
Murray
On 9 November 2012 02:00, Bret Truchan <clon...@gmail.com> wrote:
> Thanks William,
>
> No worries. I figured if there were some short-cut, I'd ask before
> getting too far. Ha ha ha. Thanks for the reminder about $_POST variables
> and mass assignment. I changed my code to use the built in codeigniter
> classes for fetching GET and POST variables which do some cleansing. I
> haven't decided how to deal with the mass assignment issue yet. I'll read
> up on it and figure out a solution.
>
> - Bret
>
> On Thursday, November 8, 2012 5:43:40 AM UTC-8, William DURAND wrote:
>>
>> You should not use `fromArray($_POST)`, filter the $_POST parameters
>> before or you will end up with a mass assignment vulnerability. Read:
>>
>> * https://github.com/blog/**1068-public-key-security-**
>> vulnerability-and-mitigation<https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation>
>> * http://blog.mhartl.com/2008/**09/21/mass-assignment-in-**
>> rails-applications/<http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/>
>>
>> And I think your last snippet is already simple and short. Not sure if
>> you can write less code ;)
>>
>> William
>>
>> --
>> William Durand | http://www.williamdurand.fr
>>
>>
>> On Thu, Nov 8, 2012 at 7:10 AM, Bret Truchan <clo...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I'm writing my first form handling code in Propel. So far inserting a
>>> new record looks like this:
>>>
>>> $community = new Community();
>>> $community->fromArray($_POST);
>>> $community->save();
>>>
>>> First, is this a common way to handle form posts? Secondly, if so, is
>>> there any cool shortcuts I can take to reduce the syntax? For example, my
>>> update code looks like this:
>>>
>>> CommunityQuery::create()->**filterById($community_id)->**update($_POST);
>>>
>>> Thanks,
>>> - Bret
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Propel Users" group.
>>> To view this discussion on the web visit https://groups.google.com/d/**
>>> msg/propel-users/-/zmo9zjBRm-**4J<https://groups.google.com/d/msg/propel-users/-/zmo9zjBRm-4J>
>>> .
>>> To post to this group, send email to propel...@googlegroups.com.
>>> To unsubscribe from this group, send email to propel-users...@**
>>> googlegroups.com.
>>> For more options, visit this group at http://groups.google.com/**
>>> group/propel-users?hl=en<http://groups.google.com/group/propel-users?hl=en>
>>> .
>>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Propel Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/propel-users/-/NdLOA3gFKEUJ.
> To post to this group, send email to propel-users@googlegroups.com.
> To unsubscribe from this group, send email to
> propel-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/propel-users?hl=en.
>
--
Murray Collingwood
Focus Computing
ph +61 7 3175 0575
mob +61 415 24 26 24
http://www.focus-computing.com.au
--14dae934063dc38a7804ce03a24f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
FYI I have a function like this that I use for processing these requests.=
=A0 I refer here to a "form_prefix" - this is something like &quo=
t;gm_" and all of the parameters that start with this prefix I then lo=
ok for fieldnames.<br>
<br>I've also standardised all date fields begin with the text "da=
te", all date/time fields begin with "time" and if it's =
just a time field it begins with "hm".<br>I've also decided t=
hat any blank entry is automatically changed to a null, and values of "=
;true" and "false" (as strings) become booleans.<br>
<br>=A0=A0=A0 foreach ($_REQUEST as $parm =3D> $value) {
<br>=A0=A0=A0 =A0=A0=A0 if (substr($parm, 0, $prefixlength) =3D=3D $gmform-=
>form_prefix) {
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $fieldname =3D substr($parm, $prefixlengt=
h);
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 if (array_search($fieldname, $fieldlist) =
!=3D=3D false) {
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $setfield =3D "set" .=
ucfirst($fieldname);
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 if (substr($setfield,0,7) =3D=
=3D "setDate")=A0
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $value =3D format_myd=
ate($value);
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 else if (substr($setfield,0,7) =
=3D=3D "setTime")=A0
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $value =3D format_myt=
ime($value);
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 else if (substr($setfield,0,5) =
=3D=3D "setHm")=A0
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $value =3D format_myh=
hmm($value);
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 if ($value =3D=3D=3D "&quo=
t;)
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $value =3D null;
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 else if ($value =3D=3D=3D "=
;true")
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $value =3D true;
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 else if ($value =3D=3D=3D "=
;false")
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $value =3D false;
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 $obj->$setfield($value);
<br>=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 }
<br>=A0=A0=A0 =A0=A0=A0 }
<br>=A0=A0=A0 }
<br><br>HTH<br>Murray<br><br><div class=3D"gmail_extra"><br><br><div class=
=3D"gmail_quote">On 9 November 2012 02:00, Bret Truchan <span dir=3D"ltr">&=
lt;<a href=3D"mailto:clon...@gmail.com" target=3D"_blank">clon...@gmail.com=
</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Thanks William,<br><br>No worries.=A0 I figu=
red if there were some short-cut, I'd ask before getting too far.=A0 Ha=
ha ha.=A0 Thanks for the reminder about $_POST variables and mass assignme=
nt.=A0 I changed my code to use the built in codeigniter classes for fetchi=
ng GET and POST variables which do some cleansing.=A0 I haven't decided=
how to deal with the mass assignment issue yet.=A0 I'll read up on it =
and figure out a solution.<br>
<br>- Bret<br><br>On Thursday, November 8, 2012 5:43:40 AM UTC-8, William D=
URAND wrote:<blockquote class=3D"gmail_quote" style=3D"margin:0;margin-left=
:0.8ex;border-left:1px #ccc solid;padding-left:1ex">You should not use `fro=
mArray($_POST)`, filter the $_POST parameters before or you will end up wit=
h a mass assignment vulnerability. Read:<div>
<br></div><div>*=A0<a href=3D"https://github.com/blog/1068-public-key-secur=
ity-vulnerability-and-mitigation" target=3D"_blank">https://github.com/blog=
/<u></u>1068-public-key-security-<u></u>vulnerability-and-mitigation</a></d=
iv>
<div>*=A0<a href=3D"http://blog.mhartl.com/2008/09/21/mass-assignment-in-ra=
ils-applications/" target=3D"_blank">http://blog.mhartl.com/2008/<u></u>09/=
21/mass-assignment-in-<u></u>rails-applications/</a></div><div><br></div><d=
iv>
And I think your last snippet is already simple and short. Not sure if you =
can write less code ;)</div>
<div><br></div><div>William</div><div><br clear=3D"all"><div>--</div>Willia=
m Durand |=A0<a href=3D"http://www.williamdurand.fr" target=3D"_blank">http=
://www.williamdurand.fr</a><br>
<br><br><div class=3D"gmail_quote">On Thu, Nov 8, 2012 at 7:10 AM, Bret Tru=
chan <span dir=3D"ltr"><<a>clo...@gmail.com</a>></span> wrote:<br><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex">
Hello,<br><br>I'm writing my first form handling code in Propel.=A0 So =
far inserting a new record looks like this:<br><br>$community =3D new Commu=
nity();<br>$community->fromArray($_POST);<br>$community->save();<br>
<br>
First, is this a common way to handle form posts?=A0 Secondly, if so, is th=
ere any cool shortcuts I can take to reduce the syntax?=A0 For example, my =
update code looks like this:<br><br>CommunityQuery::create()-><u></u>fil=
terById($community_id)-><u></u>update($_POST);<br>
<br>Thanks,<br>- Bret<span class=3D"HOEnZb"><font color=3D"#888888"><span><=
font color=3D"#888888"><br>
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Propel Users" group.<br>
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msg/propel-users/-/zmo9zjBRm-4J" target=3D"_blank">https://groups.goog=
le.com/d/<u></u>msg/propel-users/-/zmo9zjBRm-<u></u>4J</a>.<br>=20
To post to this group, send email to <a>propel...@googlegroups.com</a>.<br>
To unsubscribe from this group, send email to <a>propel-users...@<u></u>goo=
glegroups.com</a>.<br>
For more options, visit this group at <a href=3D"http://groups.google.com/g=
roup/propel-users?hl=3Den" target=3D"_blank">http://groups.google.com/<u></=
u>group/propel-users?hl=3Den</a>.<br>
</font></span></font></span></blockquote></div><span class=3D"HOEnZb"><font=
color=3D"#888888"><br></font></span></div><span class=3D"HOEnZb"><font col=
or=3D"#888888">
</font></span></blockquote><span class=3D"HOEnZb"><font color=3D"#888888">
<p></p>
-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Propel Users" group.<br>
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msg/propel-users/-/NdLOA3gFKEUJ" target=3D"_blank">https://groups.goog=
le.com/d/msg/propel-users/-/NdLOA3gFKEUJ</a>.<br>=20
To post to this group, send email to <a href=3D"mailto:propel-users@googleg=
roups.com" target=3D"_blank">propel-users@googlegroups.com</a>.<br>
To unsubscribe from this group, send email to <a href=3D"mailto:propel-user=
s%2Bunsubscribe@googlegroups.com" target=3D"_blank">propel-users+unsubscrib=
e@googlegroups.com</a>.<br>
For more options, visit this group at <a href=3D"http://groups.google.com/g=
roup/propel-users?hl=3Den" target=3D"_blank">http://groups.google.com/group=
/propel-users?hl=3Den</a>.<br>
</font></span></blockquote></div><br><br clear=3D"all"><br>-- <br>Murray Co=
llingwood<br>Focus Computing<br>ph +61 7 3175 0575<br>mob +61 415 24 26 24<=
br><a href=3D"http://www.focus-computing.com.au" target=3D"_blank">http://w=
ww.focus-computing.com.au</a><br>
</div>
--14dae934063dc38a7804ce03a24f--
Message from discussion Is there shorter syntax than this for saving the results of a $_POST ?
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2013 Google |