Skip to content
osCommerce Online Merchant v2.x
PHP JavaScript
Find file
Pull request Compare This branch is 9 commits ahead, 1902 commits behind osCommerce:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
catalog
extras
.gitattributes
.gitignore
CHANGELOG
LICENSE
README
STANDARD
documentation.pdf
release_notes.pdf

README

Branch form_handler_class

Features/benefits:
- Validates forms and CSRF
- Forces sanitisation or type setting of form values
- Reduces on page code
- Reduces on page code complexity
- Forces contribution developers to sanitise all values
- Protects the script from contribution developers who "forget" to sanitise form input.

Changelog: 28th July 2012
Added shortform usage, added reset(), added setDefaultSanitiser( string ), added file uploads check 

Standard Usage:
  Validates CSRF, applies type casting and sanitisation to values, ensures required form keys are in place, extracts any optionals.

  require(DIR_WS_CLASSES . '/form_handler.php');
  $formHandler = new form_handler();
  
  if (($extracted = $formHandler->setRequiredFormKeys(array( 'action' => 'process', 'some_int' => 'int', 'some_string' => 'string', 'some_user_input_text' => 'strip_tags'))
                                ->setOptionalFormKeys(array( 'optional_int' => 'int', 'optional_user_input_text' => 'strip_tags' ))
                                ->validate()) !== false) {
    extract($extracted,EXTR_OVERWRITE);
    
###########################################################

Short form usage:
  The same as above but as the arrays passed in are numerically indexed the system applies the strip_tags sanitisation by default.
  Short and long form can be mixed.
  
  if (($extracted = $formHandler->setRequiredFormKeys(array( 'action' => 'process','some_int','some_string','some_user_input_text'))
                                ->setOptionalFormKeys(array( 'optional_int','optional_user_input_text' ))
                                ->validate()) !== false) {
    extract($extracted,EXTR_OVERWRITE);
    
###########################################################

Just validating CSRF:

  if (($formHandler->limitCsrfCheckOnly(true)->validate()) !== false) {}
  
###########################################################

Chaining form validation:

  if (($extracted = $formHandler->setRequiredFormKeys(array( 'action' => 'process', 'some_int' => 'int', 'some_string' => 'string', 'some_user_input_text' => 'strip_tags'))
                                ->setOptionalFormKeys(array( 'optional_int' => 'int', 'optional_user_input_text' => 'strip_tags' ))
                                ->validate()) !== false) {
    extract($extracted,EXTR_OVERWRITE);
    // Do stuff here
  } elseif (($extracted = $formHandler->reset()
                                      ->setRequiredFormKeys(array( 'action' => 'update', 'some_int' => 'int', 'some_string' => 'string', 'some_user_input_text' => 'strip_tags'))
                                      ->setOptionalFormKeys(array( 'optional_int' => 'int', 'optional_user_input_text' => 'strip_tags' ))
                                      ->validate()) !== false) {
    extract($extracted,EXTR_OVERWRITE);
    // Do other stuff here  
  }
  
###########################################################

  Public methods - all of these chain:
  
  reset()
  setRequiredFormKeys()
  setOptionalFormKeys()
  setDefaultSanitiser()
  requireCsrfCheck()
  limitCsrfCheckOnly()
  validate()
  
###########################################################  


Explanation of setXxxxxFormKeys()

In complex files like address_book_process there are _POST variables that are always present
but also there are variables that are only introduced in certain conditions e.g. 

if (ACCOUNT_GENDER == 'true')

This system handles that by: -

setRequiredFormKeys() - is passed an array of "required to be present" _POST keys.

setOptionalFormKeys() - is passed a full array of optional _POST keys

The required keys are used along with the sessiontoken when validating the form.

The optional keys are extracted from _POST if they happen to be present and their values are typecast
along with the required key=>value(s)

This allows a lot of flexibility, reduction of core code, reduction of code complexity and the definate
knowledge that all variables extracted have been typecast and sanitised.

File uploads example: -

  if (($extracted = $formHandler->addAcceptableUploadMimeTypes(array('image/jpeg', 'image/png', 'image/gif'))
                                ->setRequiredFormKeys(array( 'action' => 'some_action', 'my_image' => 'uploaded_file'))
                                ->validate()) !== false) {}

The switch code:

  case 'file':
  case 'uploaded_file':
    if ( PHP_VERSION < '4.1.0' ) break;
    if (!array_key_exists($key, $_FILES)) return false;
    if ((PHP_VERSION >= '4.2.0') && ($_FILES[$key]['error'] !== 0)) return false;
    if (!array_key_exists('tmp_name', $_FILES[$key]) || !is_uploaded_file($_FILES[$key]['tmp_name'])) return false;
    if (!empty($this->_acceptable_upload_mime_types)) {
      if( !array_key_exists( 'type', $_FILES[$key]) || !in_array($_FILES[$key]['type'], $this->_acceptable_upload_mime_types)) return false;
    }
    break;
Something went wrong with that request. Please try again.