CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

How to sanitize input parameters with CMSMS? (the built-in mechanism)

https://forum.cmsmadesimple.org/viewtopic.php?t=34670

Page 1 of 1

How to sanitize input parameters with CMSMS? (the built-in mechanism)

Posted: Mon Jun 15, 2009 6:45 am
by mihai11
Hello,



I am trying to sanitize the input parameters using the mechanism that is built-in into CMSMS. For this purpose, in the function "SetParameters()" I am defining this:

Code: Select all

function SetParameters()
{
	$this->RestrictUnknownParams();
	$this->SetParameterType('step', CLEAN_STRING);
	$this->mCachable = false;
}
and in the file "action.default.php" I am trying to read the params like this:

Code: Select all

$step = $params['step'];
echo "step = '$step' <br />";
It doesn't matter how am I sending the 'step' parameter to the form - thru POST or GET. The 'step' is alsways empty.

If I am reading the parameters thru $_REQUEST, $_POST and $_GET everything seems to work:

Code: Select all

$step = $_REQUEST['step'];
but the variables are not "cleaned".

Please tell me what am I doing wrong.


Note: I am using the CMSMS version 1.5.4.



Regards,
Razvan

Re: How to sanitize input parameters with CMSMS? (the built-in mechanism)

Posted: Mon Jun 15, 2009 8:29 am
by alby
mihai11 wrote:

Code: Select all

$step = $_REQUEST['step'];
You must use a CreateForm/CreateLink API's for sending.
This create a (about) m1_step if you look in $_REQUEST and step in $params

Alby

Re: How to sanitize input parameters with CMSMS? (the built-in mechanism)

Posted: Tue Jun 16, 2009 6:35 am
by mihai11
alby wrote:
mihai11 wrote:

Code: Select all

$step = $_REQUEST['step'];
You must use a CreateForm/CreateLink API's for sending.
This create a (about) m1_step if you look in $_REQUEST and step in $params

Alby
Thank you for your answer.

I've seen in the "News" plugin that they are using code like this:

Code: Select all

$step = $params['step'];
When should this be used?

Other observations:
1) Can't I just sanitize any parameter that is defined with a call to "SetParameterType"?
2) For a given module I might have many forms on different templates; Where should I call the CreateForm/CreateLink API's? Can you provide a fully functional example?



Regards,
Razvan

Re: How to sanitize input parameters with CMSMS? (the built-in mechanism)

Posted: Tue Jun 16, 2009 8:10 am
by alby
mihai11 wrote:

Code: Select all

$step = $params['step'];
In general in your target (Form or Link is your source with your variables) or are params in your template tag

mihai11 wrote: 1) Can't I just sanitize any parameter that is defined with a call to "SetParameterType"?
Yes, if you use a param not set you have a error (depend of configuration will be displayed or not)

mihai11 wrote: 2) For a given module I might have many forms on different templates; Where should I call the CreateForm/CreateLink API's?
In your source, for example create your form with form's API:
CreateFormStart
CreateFormEnd
CreateInputSubmit
CreateLabelForInput
CreateInputText
CreateTextarea
.............
.............

mihai11 wrote: Can you provide a fully functional example?
Look source in any "recent" module and play

Alby
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited