Page 1 of 1
How to clean array before writing in database?
Posted: Sun Aug 12, 2007 4:25 pm
by Papillon
Hello,
in the model file I get some post data from a form:
In the controller.php I get the model and store it to the database:
Code: Select all
$model = $this->getModel( 'form' );
if ($model->store())
{
$msg = JText::_( 'Empfehlung gesendet' );
} else ...
After looking into the database I see that html tags are stripped, but backslashes are still there. Do I have to do something like "addslashes" to make it secure or is this safe enough?
Thanks for your answers and reading my bad english. I hope that you are understanding what I mean.
Papi
Re: How to clean array before writing in database?
Posted: Sun Aug 12, 2007 7:43 pm
by AmyStephen
Papi -
I am not able to answer that question, but I want to point out
How to make your Joomla! addon more secure, a wiki resource that the core developers put together. I am guessing you will find help in that. If you don't though, let us know. Someone else certainly can help with your question.
Thanks!
Amy
Re: How to clean array before writing in database?
Posted: Sun Aug 12, 2007 10:04 pm
by jlleblanc
If your model is eventually using the store() function of JTable objects to add data to the database, it should automatically escape your variables with slashes.
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 7:08 am
by Papillon
Thank you for your answers!
@Amy:
I like this ressource very much but I think that some of the parts are especially written for Joomla 1.0. The framework of Joomla 1.5 relieves us some of the work, but I don't know exactly which work in my case.
@jlleblanc:
I am using in the model some code from weblinks:
Code: Select all
function store()
{
$row =& $this->getTable( );
$data = JRequest::get( 'post' );
// Bind the form fields to the table
if (!$row->bind($data)) {
$this->setError($this->_db->getErrorMsg());
return false;
}
// Make sure the record is valid
if (!$row->check()) {
$this->setError($this->_db->getErrorMsg());
return false;
}
// Store the table to the database
if (!$row->store()) {
$this->setError($this->_db->getErrorMsg());
return false;
}
return true;
}
I noticed in weblinks when saving the description the same problem (is it a problem?): html tags are stripped but the special characters are not escaped:
This text
Code: Select all
<strong>This is a path: "../html/joomla/components" and this is a backslash \</strong>
is saved in the database as
Code: Select all
This is a path: "../html/joomla/components" and this is a backslash \
Should'nt it be like this?
Code: Select all
This is a path: "..\/html\/joomla\/components" and this is a backslash \\
Thanks for helping me.
Papi
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 9:47 am
by CirTap
Hi,
any requirement to strip special characters depend on the context, input source, and output target.
If you'd dump this description text as an argument to an external program (ie. via shell) there could indeed be issues with the slashes if they're not further escaped/quoted, but the content in this case is supposed to be used as a "text node" in an HTML or XML document, hence / and \ can be considered "save characters" for this target medium.
Have fun,
CirTap
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 11:53 am
by Papillon
Hello CirTap,
thank you for the answer and the explication. This helps me a lot.
Greetings
Papi
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 12:57 pm
by jlleblanc
Yeah, you're using JTable, it's escaping them.
When you save the escaped variables to the database, the extra slashes do not appear in them. The SQL string going to the database will contain them, but you won't see them in the final database listing.
To get your HTML to come through, make sure that you pass JREQUEST_ALLOWHTML as your second parameter to get():
Code: Select all
$data = JRequest::get( 'post', JREQUEST_ALLOWHTML);
However, you must make sure that the HTML is from a trusted source (trusted authenticated user, admin, etc...). It is generally not a good idea to accept straight HTML from anonymous sources if the HTML will be redisplayed back on your website (especially with Javascript XSS attacks).
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 2:11 pm
by Papillon
Thank you for the clarification, Joseph. I don't want to accept Html from the form. I only noticed that html is stripped and the rest isn't escaped.
Hence
is the right thing to me.
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 5:50 pm
by bascherz
AmyStephen wrote:Papi -
I am not able to answer that question, but I want to point out
How to make your Joomla! addon more secure, a wiki resource that the core developers put together. I am guessing you will find help in that. If you don't though, let us know. Someone else certainly can help with your question.
Thanks!
Amy
Whoa! Great information.
BUT GUESS WHAT?! When I went to the link in Amy's post I was not logged in and yet I saw "Edit" links all over the page!! I am sure this was unintentional.
EDIT: This occurs with all pages rooted at
http://dev.joomla.org/component/option,com_jd-wikiI am logged into the forum only, not into dev.joomla.org and I am able to see "Edit" links. Is this intentional? If so, we can start adding content from this group NOW! But my guess is that this is an oversight on someone's part.
Re: How to clean array before writing in database?
Posted: Mon Aug 13, 2007 6:07 pm
by Chris Davenport
Don't panic!!! The wiki is not wide open. Although the Edit buttons appear, if you actually try to save any changes, or even preview them, you will get "Permission Denied".
Ian has been looking into changing the access control for the wiki to allow collaborative development of the new template tutorial. I'd also like to see an area of the dev wiki set aside for this group. Just give us a bit of time to work through the issues. We have to be careful as the joomla.org domain is high-volume and is under constant attack by spammers.
Regards,
Chris.
Re: How to clean array before writing in database?
Posted: Tue Aug 14, 2007 1:04 pm
by Rogue4ngel
That would be outstanding Chris. With the collective work we have so far in this forum, I can forsee it being quite a work that will be a wonderful resource for our joombies!
Thanks for your efforts on this.