|
|
 Flip - 2011-11-17 19:37:35 As i understand from the video, demos and forums no actually form processing is done. I searched the code and mysql_real_escape_string could not be found.
I looked in the feature list and this indeed not one of the features.
Nothing wrong here, just good to know your class doesn't secure against SQL injection.
My question is: which server side validation & processing IS being done?
Or in other words:
why to use $form->GetInputValue() function and not just get the $_POST value directly?
This leads me to another question:
If there is indeed no server side processing being done by your script. Is it possible to save the generated forms as cache somehow? So the HTML + Javascript don't have to be generated on each visit.
 Manuel Lemos - 2011-11-17 20:17:28 - In reply to message 1 from FlipNo, the forms class itself is just for validating form data. If you want to take the submitted form values and insert them in a database, it is up to you to do the necessary encoding of values passed in SQL strings.
The GetInputValue function is not supposed to do that because it just retrieves the submitted values, which may even not be used for database access purposes.
If you want to cache the forms HTML and JavaScript is upto you but I do not recommend it because the HTML that is generated usually depends on whether the form is being presented for the first time or not and may include submitted form values which may vary depending on what the user entered in the forms.
Flip - 2011-11-18 18:19:12 - In reply to message 2 from Manuel Lemosthank you for your response.
I don't want to seem like nitpicking here, but as i found this design confusing i would like to make a suggestion on this.
"The GetInputValue function is not supposed to do that because it just retrieves the submitted values"
if the GetInputValue just retrieve the submitted values. Then why put this function in your class? I wouldn't do this for 2 reasons:
1. the use of just $_POST makes it clear that no processing is being done, usage of GetInputValue obscures this.
2. Extra overhead. I don't think it's much, but the less overhead the better.
I'm using your class now and though it took a few hours to get the first forms working on my own site. (due to my inexperience with this class). I must say your class seems pretty good. So thank you for making this.
Manuel Lemos - 2011-11-19 01:19:00 - In reply to message 3 from FlipRetrieving input values is not always the same thing on every request. If the form is submitted via GET method, $_POST is not the right way to retrieve the submitted values.
Furthermore the class can do filtering on the submitted values if you tell it to do that, or even assume default values if the form is load with submitted values. GetInputValues will consider all that.
Other than that, the class supports custom plug-ins that redefine how GetInputValue. For instance the form_date plugin presents fields for the day, month and year.
When you call GetInputValue on input element defined by that custom plug-in it will return a single string formatted with day, month and year.
Flip - 2011-11-19 15:30:10 - In reply to message 4 from Manuel LemosVery clear explanation and powerful options. Thanks.
Will have to look into the filter capabilities.
|
