xoops forums

Jakobo

Just popping in
Posted on: 2004/1/8 0:23
Jakobo
Jakobo (Show more)
Just popping in
Posts: 61
Since: 2003/12/18
#1

Preparing Text to go in and out of a Xoops DB

(Edit: I could not see anything in the RFI forum for some strange reason, so I have no idea if these functions have been discussed )

Xoops ate my session, so this is going to be a lot more abbreviated than before. After looking through the class files, the forum, the news, and other modules, I have tried to put together a helpful reference on using the Text Sanitizer. If some other people in the mod community can verify these, it would be a huge help both to the mods and to the wiki. I do believe though that these functions (as used now) are marked "depreciated" in CVS, but I couldn't for the life of me find the new revised function names.

Get the instance of the MyText Sanitizer
Must do this first.
$myts =& MyTextsanitizer::getInstance();


Sanitize Data to save in a DB
$myts->makeTboxData4Save($text)



Prepare Data from DB to display on page
second option is to show smilies or not (optional)
$myts->makeTboxData4Show($text0)



Prepare data from DB to put back into a textbox
$myts->makeTboxData4Edit($text)



Prepare data from DB to put into a "preview" section
second option is to show smilies or not (optional)
$myts->makeTboxData4Preview($text0)



Prepare data from DB to put into a "preview" section that is contained in a form? (anyone actually use this?)
$myts->makeTboxData4PreviewInForm($text)



Sanitize Text Area Data to save in a DB
$myts->makeTareaData4Save($text)



Prepare Data from DB to display on page
1st option: convert html code (optional)
2nd option: convert smilies (optional)
3rd option: convert XOOPS code (optional)
$myts->&makeTareaData4Show(&$text111)



Prepare Data from DB to put back into a text area
$myts->makeTareaData4Edit($text)



Prepare Data from DB to display in a Preview
1st option: convert html code (optional)
2nd option: convert smilies (optional)
3rd option: convert XOOPS code (optional)
$myts->&makeTareaData4Preview(&$text111)



Prepare Data from DB to display in a Preview and that preview is contained in a form? (anyone actually use this?)
$myts->makeTareaData4PreviewInForm($text)



Prepare Data from DB to display in a "quote" format? (anyone actually use this?)
$myts->makeTareaData4InsideQuotes($text)

mvandam

Quite a regular
Posted on: 2004/1/8 2:13
mvandam
mvandam (Show more)
Quite a regular
Posts: 253
Since: 2003/2/7 2
#2

Re: Preparing Text to go in and out of a Xoops DB

I believe that (some of) these functions are still used internally, but not intended to be part of the API used by developers.

Anyone please correct me if I'm wrong, but as far as I know, all the sanitization is done in class methods 'getVar' and 'setVar' of classes derived from XoopsObject.

- setVar(key,value) sets the value of a 'field'. It will automatically be sanitized before insert into the database.

- getVar(key,format) converts based on the 'type' of the variable and the selected 'format'. The values of 'format' can be:

(1) 's' for 'show' (use when displaying on a page)
(2) 'e' for 'edit' (use when you show in an edit box)
(3) 'p' for 'preview' (unsure of purpose)
(4) 'f' for 'formpreview' (unsure of purpose)
(5) 'n' for 'none' (use when you want the value exactly as inserted)

The options of whether you want to render smilies, html etc, is established when you call 'initVar' to initialize each var in your class (derived from XoopsObject). Have a look at e.g. kernel/user.php or kernel/module.php etc for some examples of class derived from XoopsObject. If all your data is handled by a XoopsObject then you just use 'setVar', 'getVar', and sanitization automagically happens when you insert into or retrieve from the database.

Hope this helps a bit...

Jakobo

Just popping in
Posted on: 2004/1/8 9:29
Jakobo
Jakobo (Show more)
Just popping in
Posts: 61
Since: 2003/12/18
#3

Re: Preparing Text to go in and out of a Xoops DB

That does make a bit more sense, especially since a module would technically (in a perfect object-oriented world) be a derivation of a XOOPS Object (or more precicely, an instance of a XOOPS Module).

Given the amount of data that goes in and out of Xoops, it only made sense there be some sort of validation functions in the core, it's just been a matter of finding them.

Thank you very much for the help! I'll start digging and see what I can find about how to use those two examples in my code. Anything's worth a try, some things worth 2-3.

svaha

Just can't stay away
Posted on: 2004/1/8 9:31
svaha
svaha (Show more)
Just can't stay away
Posts: 896
Since: 2003/8/2 2
#4

Re: Preparing Text to go in and out of a Xoops DB

I use the $myts things to force text to go through the sanitizer for my multilingo site.
When I read your lines here correct mvandam, does this mean that when getvar is used it is automatically sanitized? So it makes no sense to use $myts here?

Aloha

mvandam

Quite a regular
Posted on: 2004/1/8 18:34
mvandam
mvandam (Show more)
Quite a regular
Posts: 253
Since: 2003/2/7 2
#5

Re: Preparing Text to go in and out of a Xoops DB

Yes, 'getVar' causes automatic sanitization (according to the options you selected with 'initVar'... i.e. things like bbcode, smilies, etc.) Have a look in kernel/object.php for more details.

For the multilingual stuff, you would have to call the function manually as you are doing now. To save yourself a lot of extra function calls, you could implement the multilang stuff as a 'markup option' (as bbcode, smilies, html, etc...) and change the appropriate calls to 'initVar' to add this option on multilingual fields. I'm not sure how well this would work... just a thought off the top of my head.

svaha

Just can't stay away
Posted on: 2004/1/9 10:31
svaha
svaha (Show more)
Just can't stay away
Posts: 896
Since: 2003/8/2 2
#6

Re: Preparing Text to go in and out of a Xoops DB

Thnx, it sure feels like a good idea to investigate this.
I'm also looking into possibilities of implementing these multilingo things in the frontend of Xoops, so smarty stuff and so on, because as it is now (hacks implemented in so many files) it's blood sweat and tears with every update. Gotta carefully compare every single file what exactly was changed for multilingo.
Aloha

Brad

Not too shy to talk
Posted on: 2004/3/29 14:33
Brad
Brad (Show more)
Not too shy to talk
Posts: 150
Since: 2003/12/4
#7

Re: Preparing Text to go in and out of a Xoops DB

Should one always use the text sanitizer when reading or writing from a table? If not, what are the guidelines on when one should or should not do so?

Brad

mvandam

Quite a regular
Posted on: 2004/3/29 17:05
mvandam
mvandam (Show more)
Quite a regular
Posts: 253
Since: 2003/2/7 2
#8

Re: Preparing Text to go in and out of a Xoops DB

Quote:

Should one always use the text sanitizer when reading or writing from a table? If not, what are the guidelines on when one should or should not do so?

Depends what you mean by 'reading' or 'writing' from a table. If you are writing a *query*, you should always use $xoopsDB->quoteString($blah) on ALL variables which are 'untrusted' or unvalidated. This includes integers etc, unless you explicitly check to make sure they are integers and contain no strange characters.

The text sanitizer is used for pieces of text. If you are extending XoopsObject, then initVar, setVar, getVar all call text sanitizer automagically. If you are not extending XoopsObject, then you may need to invoke the text sanitizer. Preparing for the database is only a tiny part of what text sanitizer can do... it also 'cleans' any strings so that when you display them as HTML you deactivate any potential 'attacks'.

jackt

Just popping in
Posted on: 2004/4/16 6:55
jackt
jackt (Show more)
Just popping in
Posts: 31
Since: 2002/6/2 2
#9

Re: Preparing Text to go in and out of a Xoops DB

I've noticed that extending the XoopsObject class conveniently formats text for you assuming you initVar to set the data types, and then getVar and setVar will "sanitize" the text for database entry or display. I've also seen kernel and some OO based core modules also include a corresponding Handler class to handle database manipulation. Howvever, there exists very very few modules that actually take this route. The few modules that are OO either create a renderer class for display (I don't even quite understand why you'd throw in an extra layer between the calling page and smarty, why would you even need another class to render output for you.) or throw in database manipulation methods into the that very class.

I'm wondering what the benefit is by separating "data access mechanisms" methods into a handler class? No one seems to be doing it, but the core classes are practically all done this way.

In addition, it'd be very useful to include the initVar, getVar, setVar, etc functions in the module developement wiki. Alot of people don't use what's supplied in the core, and it would help them tremendously to know these tools are provided to you.

mvandam

Quite a regular
Posted on: 2004/4/16 17:47
mvandam
mvandam (Show more)
Quite a regular
Posts: 253
Since: 2003/2/7 2
#10

Re: Preparing Text to go in and out of a Xoops DB

Quote:

I'm wondering what the benefit is by separating "data access mechanisms" methods into a handler class? No one seems to be doing it, but the core classes are practically all done this way.

This is basically the same argument as why you separate your logic from your design - i.e. you use templates so all design-related stuff is in a *single* place.

You separate all DB things so that if there are ever changes (e.g. supporting other databases etc) then you can make all the changes in one place.

Quote:

In addition, it'd be very useful to include the initVar, getVar, setVar, etc functions in the module developement wiki. Alot of people don't use what's supplied in the core, and it would help them tremendously to know these tools are provided to you.

Feel free to start some pages if you have the time . There has been some talk on dev.xoops.org about providing at least one module written in the 'recommended' way, i.e. using all the core features etc. Not sure what the status is on that right now.