Quick and dirty, very ugly, form example

[calguy1000]

Okay.... here you will find a simple example form that I put into one of my pages on my test site.
This was done purely as an example as to how to do inline forms in CMS Made Simple.  of course things can get more complex.... but what it illustrates is that CMS Made Simple does not prevent you from coding your own forms, etc.

Notice I did not use a UDT.  I did the code inline (remember to set the use_smarty_php_tags variable to true in the config.php).

Code: Select all

{php}
$count = 5;
if( isset( $_REQUEST['submit'] ) )
  {
      if( isset( $_REQUEST['count'] ) ) {
        $square = (float) $_REQUEST['count'];
        $square = $square * $square;
        echo "The Result is: $square<br/>";
     }
  }
{/php}
<form method="post" action="{$smarty.server.PHP_SELF}">
<label for="count">Count</label>:
<input name="count" type="text" maxlength="10" length="10" value="{php}echo $count;{/php}">
<input type="submit" name="submit" value="Go">
</form>

Maybe in a bit I'll do an example that opens another database connection because that has a sneaky little trick or two.

[Pierre M.]

Thank you Calguy.

Newbies, please notice :
Calguy says it is dirty and very ugly. Indeed, the point is to demonstrate that CMS Made Simple does not prevent you from coding your own forms.
But know what you are doing : if you don't use UDTs and wide open the use_smarty_php_tags variable, you have to life trust anybody accessing your system. Don't set use_smarty_php_tags to true unless you want your site hacked.

BTW, before coding, anybody can try the FormBuilder and FormBrowser CMSms modules (although they can't do math).

Pierre M.

[calguy1000]

Here's the same form done as a single UDT.

Code: Select all

$count = 5;
if( isset( $_REQUEST['submit'] ) )
  {
      if( isset( $_REQUEST['count'] ) ) {
        $square = (float) $_REQUEST['count'];
        $square = $square * $square;
        echo "The Result is: $square<br/>";
     }
  }
echo '<form method="post" action="'.$_SERVER['PHP_SELF'].'">';
echo '<label for="count">Count</label>';
echo "<input name=\"count\" type=\"text\" maxlength=\"10\" length=\"10\" value=\"$count\">";
echo '<input type="submit" name="submit" value="Go">';
echo '</form>';

[hexdj]

Thanks

[calguy1000]

No..... you just follow the instructions with each example.....

In the first example you have to turn on use_smarty_php_tags in config.php

In the second example, you just create the UDT, and call it with {my_udt_name} in your template or page content.

[tyman00]

Newbies

That's me.

With your post are you saying that Calguy's first example leaves the forms open to hacking when you turn on PHP smarty tags or did you mean that anyone that has access to the admin panel can hack the site with PHP smarty tags turned on?

I am not using CMSMS for forms, but I am trying to learn PHP security and general web base security.

Where did you all learn about all the security? I read some documents and I get confused, any recommendations for a starting point for newbies interested in PHP/Web-programming security?

[Pierre M.]

Hello,

Disclaimer : I'm not a security expert.
I "mean that anyone that has access to the admin panel can hack the site with PHP smarty tags turned on" because it allows to put unlimited code anywhere.
So using the FormBuilder module is safer than coding. My advice is to (safely) code only when you require a feature that out-of-the-box CMSms/modules can't do (e.g. math computations in the above example).

Pierre M.

[tyman00]

Ok, I already knew that. You had me worried that there was more security issues with Smarty PHP tags than just in the admin side. 

[bterkuile]

Don't forget the good old javascript for doing calculations 

Code: Select all

The square is: <span id="result"></span><br />
<input type="text" id="count" value="5"/><button onclick="$('result').innerHTML=$('count').value*$('count').value;">Go</button>

[calguy1000]

This example (done entirely in smarty) should work too.

Code: Select all

{if isset($smarty.post.submit)}
  <p>Result = {$smarty.post.count * $smarty.post.count}</p>
{/if}
<form method="post" action="{$smarty.server.PHP_SELF}">
<label for="count">Count</label>:
<input name="count" type="text" maxlength="10" length="10" value="{php}echo $count;{/php}">
<input type="submit" name="submit" value="Go">
</form>

[calguy1000]

try taking the action= parameter out, so you just have ....