-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Form.php
184 lines (164 loc) · 4.95 KB
/
Form.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<?php
/**
* Ness PHP Framework.
* A solid php framework for fast and secure web applications.
*
* @author Sinan SALIH
* @license MIT License
* @copyright Copyright (C) 2018-2019 Sinan SALIH
*/
namespace Ness\Forms
{
use Ness\Model;
/**
* Ness PHP Form Class
* This class is used to help the developer while creating forms
* and sending data to models.
*/
class Form
{
/** @ignore */
const EOL = "\n";
/** @ignore */
protected $baseForm;
/** @ignore */
protected $formElements;
/** @ignore */
protected $modelInstance;
/** @ignore */
protected $formName;
/** @ignore */
protected $isFormProtected;
/**
* Initialize a form class.
*
* @param type $formName A form name to provide security while Seding form.
*/
public function __construct($formName = 'defaultForm')
{
$this->baseForm = '';
$this->formElements = '';
$this->modelInstance = '';
$this->formName = $formName;
$this->isFormProtected = false;
}
/**
* This function creates a form.
*
* @param type $attr Array of html attributes of form
*
* @return string
*/
public function DefineForm($attr = null)
{
$creator = '';
$formName = $this->formName;
if (is_null($attr)) {
$creator .= '<form name="'.$formName.'" action="'.\Ness\Url::getUrl().'" >'.self::EOL;
} else {
$creator = '<form name="'.$formName.'" action="'.\Ness\Url::getUrl().'" ';
foreach ($attr as $key => $value) {
$creator .= ' '.$key.'="'.$value.'"';
}
$creator .= '>'.self::EOL;
}
return $creator;
}
/**
* This function is used to set model files for forms when sendng data.
*
* @param type $modelClass Model class name to use with form
*/
public function setModel($modelClass)
{
if (!is_null($modelClass)) {
$this->modelInstance = $modelClass;
}
}
/**
* Enable or Disable XSS filter.
*
* @param type $isSecured
*/
public function setProtected($isSecured = true)
{
$this->isFormProtected = $isSecured;
}
/**
* This function is used to created form elements.
*
* @param type $element FormElements class methods
*
* @return string
*/
public function setElement($element)
{
$creator = '';
$creator .= $element.self::EOL;
return $creator;
}
/**
* Close form tags.
*
* @return string
*/
public function FinishForm()
{
$creator = '</form>'.self::EOL;
return $creator;
}
/**
* This function is used to run a function/action model file after
* POSTing the form.
*
* @param type $actionName Action in model file to run
*/
public function Call($actionName)
{
if ($this->__desidePostedForm($this->formName)) {
Model::Load($this->modelInstance);
$modelClass = new $this->modelInstance();
if (method_exists($modelClass, $actionName)) {
$paramsPosted = $_POST;
foreach ($paramsPosted as $key => $value) {
if (property_exists($this->modelInstance, $key)) {
$modelClass->$key = $this->_xssPrevent($_POST[$key]);
}
}
//check if csrf_field instialized and if its matchs
if (isset($_POST['csrf_field'])) {
if ($_POST['csrf_field'] == sha1(\Ness\Url::getUrl())) {
//CSRF USED VALUE MATCHED
$modelClass->{$actionName}();
} else {
//CSRD USED VALUE NOT MATCHED
}
} else {
//CSRF protection not enabled
$modelClass->{$actionName}();
}
}
}
}
/* *
* @ignore
*/
private function _xssPrevent($data)
{
if ($this->isFormProtected) {
return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
} else {
return $data;
}
}
/**
* @ignore
*/
private function __desidePostedForm($frmName = '')
{
if (isset($_POST[$frmName])) {
return true;
}
}
}
}