Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
2 + 4 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
   

Re: Module development - AddElement
by birdseed on 2006/7/13 16:47:24

Hi

Some ways to write secure code:

- turn off register_globals
- assign $_POST and $_GET Variables at the beginning of the script to the variables with whom you wanna work
- Let your objects inherit from XoopsObject (uh I'm afraid they changed it do xo something in 2.0.14.)
- use $ts->addSlashes($postVariable) before inserting the content of textboxes to sql strings (sql injection)
- praise that there is no D.O.S Attack (denial-of-service). The main weak point in XOOPS is the search function (oops, I should keep that secretly )
- use insert/update/delete SQL statements only in POST Request, this is pseudo-safe, but it works for non-professional users

greetings
MK
Re: Module development - AddElement
by jegelstaff on 2006/7/13 14:11:17

And, 4. Use Liase or Formulaire or Formulize depending on the nature of the application you're trying to build.

What is it exactly that you're trying to create?

--Julian
Re: Module development - AddElement
by Shiva on 2006/7/13 10:40:47

That does seem a very good way to do it.

There appears to be 3 main approaches to developing interfaces:
1. Use Smarty Templates
- Total control over layout, slower, less secure

2. Use XoopsForm
- Very secure, More difficult to Maintain, Less control over layout

3. Use Both
- Very secure & Good control over layout

Using option 3 as Julian has suggested seems like the best aproach for someone about to start on a new project.

Can anyone give any pointers regarding Security? What should one be trying to keep secure? How can XOOPS Core help?

Are security tokens implemented automatically using the XOOPS hidden elements?

Thanks again guys, still just getting to grips with it all.
Re: Module development - AddElement
by jegelstaff on 2006/7/12 18:10:48

Quote:

leostotch wrote:
XoopsForm actually fails to separate busyness logic from presentation logic, as it makes form elements created in PHP code, and thus prevents templates designer to have any real control on the presentation they want to have: if the programer decided that a field should be a selectbox, there is no way to use checkboxes or anything else instead.


Could you explain this further? I'm not sure this is correct. I think it all depends on how good the programmer is at using the class effectively.

The XoopsForm class just gives you a way of outputting HTML form elements in your page without having to manually create all the HTML necessary for the element.

This is especially useful when dealing with large option lists since adding an array of options to the element object is a lot nicer than the alternative. It's generally a lot cleaner to read too, at least if you're a programmer.

I agree that rendering the entire form as a unit through the XoopsForm class does limit your presentation options, however you are aware that each element can be rendered individually using its own render method? ie, something like this (I have not debugged this code, could be syntax errors in it, etc, but you get the idea):

le="color: #000000"><?php //PHP code: $element_objects[] = new XoopsFormText("Textbox 1", 'box1'); $element_objects[] = new XoopsFormText("Textbox 2", 'box2'); $element_objects[] = new XoopsFormText("Textbox 3", 'box3'); $element_objects[] = new XoopsFormText("Textbox 4", 'box4'); foreach($element_objects as $element) { $elements_rendered[] = $element->render(); } $xoopsTpl->assign('elements', $elements_rendered); //Smarty code: <table> <tr><td><{$elements.0}></td><td><{$elements.1}></td></tr> <tr><td><{$elements.2}></td><td><{$elements.3}></td></tr> </table>


I think that pretty effectively separates presentation from logic.

Yes, there are some shortcomings of the XoopsForm class, particularly validation of user input, and enforcing required fields. But that can be dealt with by custom javascript that you could write. In Formulize we are planning on adding in more such features through the module rather than changing the class.

--Julian
Re: Module development - AddElement
by jegelstaff on 2006/7/12 17:52:47

Quote:

Shiva wrote:
Can you recommend a good practice how to create forms. I am briefly aware of form generators as formulize and formulaire, are these any good?


Hello,

As the lead developer on Formulize, I'd have to say it's very good.

Formulize is one way around some of the limitations of manually creating forms with the XoopsForm class that have been discussed here.

Like Liase and Formulaire, Formulize provides a graphical user interface that you can use to create forms. So you specify the elements that you want in the form by picking them from a list, and configuring their options (size of texboxes, options in a dropdown menu, etc) all through a form in your browser.

Formulize also adds a lot of control over how people interact with the form. So you can specify that a form should allow only one entry per user (ie: a profile form) or mulitple entries per user (ie: an activity log). There is also a detailed permission system that lets you control whether people can see entries others have made within their group, or across the whole site. And also whether they can edit or delete their own or other people's entries, among other things.

The forms are displayed by default using the standard XoopsForm class, so the appearance is limited.

However, there is a full API for Formulize that you can use to control how you want the form to appear on an element by element basis. You would create the form in the normal way using the interface described above, specifying all the elements that you want to have. And then you would write some custom PHP on the page where the form should appear. It could look something like this (to use a simple, old style table layout for multiple columns):

le="color: #000000"><?php print "<h1>Title of my Form</h1>"; print "<table>"; print "<tr><td>"; displayElement('myform', 1); print "</td><td>"; displayElement('myform', 2); print "</td></tr>"; print "<tr><td>"; displayElement('myform', 3); print "</td><td>"; displayElement('myform', 4); print "</td></tr>"; print "</table>";


As for reviewing the information once users have submitted it, Formulize includes a powerful searching, sorting and calculation interface that lets you analyze the data however you choose, and save custom views of the information, publish views to other users, and export the data to .csv format.

It is very suitable for any standard data input-output situation, and with the API can be used to create custom applications, which in some cases may be easier or more appropriate than creating a new module from scratch.

The current focus of development is on providing access in the administration screens to the more advanced features currently available only through the API.

If you would like to discuss further, please visit the Formulize area on dev.xoops.org, accessible through this link:

http://www.freeformsolutions.ca/formulize

Thanks for reading,

--Julian

Who's Online

377 user(s) are online (327 user(s) are browsing Support Forums)


Members: 0


Guests: 377


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits