[TYPO3] suggestions on form submit
Oliver Rowlands
oliver at liquidlight.co.uk
Sun Jun 3 14:41:57 CEST 2007
Hi Marco,
I think you need to read up on Typo3 extension development as you seem
to have a lack of understanding of the basic concepts. There is basic
extension development tutorial available on Typo3.org:
http://typo3.org/documentation/document-library/tutorials/player_profile_basic/0.0.8/view/
You might also want to have a look at how other extensions work - maybe
try finding one which provides similar functionality to the one are
trying to create and use it as a starting point.
It is a flawed misconception to think that 'submitting data to a handler
is safer than submitting data to itself' as this is makes no difference
whatsoever when it comes to 'security'.
In most cases securing PHP forms all comes down to how you handle
incoming requests, data validation & sanitisation and how this data then
interacts with your database or model. Whether this logic is in the same
controller which generates your form or a separate one is completely
irrelevant.
Hope this help,
Oliver
M.Couperus wrote:
> Hi,
>
> So posting them to an array soemwhere in typo3 system if I understand you
> correctly. Then getting those values with another php script. But as the
> form is not iniating the 'get' script how to process the data?
>
> What would be the best place in typo3 to post such data and how do I
> initiate the new script? The script must display the posted form again and
> if the data adhered to my specified rules it should be posted to the
> database?
>
> Thanks in adavance!
>
> Marco
>
>
> On 6/3/07, Ries van Twisk <typo3 at rvt.dds.nl> wrote:
>>
>> hey,
>>
>> in typo3 you kost to the system. And when your form is setup correctly
>> you will find the posted variables back in $this -> pivars['...'];
>>
>> Then you can do your post processing, accept the values and do
>> something with them,
>> or show the form again and fill in the inputs.
>>
>> Just make sure you understand how to setup forms and how to
>> create correct post/get names.
>>
>> Ries
>>
>> On Jun 2, 2007, at 6:21 PM, M.Couperus wrote:
>>
>> > Hello all,
>> >
>> > We created a simple extension with kickstarter and added custom
>> > code to it.
>> > Everything seems to work fine except for one detail with which I'm not
>> > happy. One of our PHP developers decided to submit the form to itself.
>> > Normally I would post the form to a handler which checks the
>> > submitted data
>> > and then submits this data (if the data adhered to specified rules)
>> > to the
>> > database. As far as I know (in theory) this should be more secure.
>> > But how
>> > to do this? Personally I'm not that advanced in PHP programming
>> > and TYPO3
>> > and so I would post to -- for example-- 'process.php'. This
>> > wouldn't work
>> > in our case because I want to 'echo' the submitted data again to
>> > the user
>> > without leaving the location in the CMS. In addition it would be
>> > vulnerable
>> > to sql injections because it would be wide open to the internet
>> > i.e. (post
>> > to www.domain.com/process.php)
>> >
>> > So the question: "How to process form data in typo3 effective and
>> > secure?"
>> >
>> > Thanks in advance.
>> >
>> > Regards,
>> >
>> > Marco
>> > _______________________________________________
>> > TYPO3-english mailing list
>> > TYPO3-english at lists.netfielders.de
>> > http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>>
>> --
>> Ries van Twisk
>> Freelance Typo3 Developer
>> email: ries at vantwisk.nl
>> web: http://www.rvantwisk.nl/
>> skype: callto://r.vantwisk
>>
>>
>>
>>
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>>
--
Oliver Rowlands
:: Liquid Light ::
E - oliver at liquidlight.co.uk
W - http://www.liquidlight.co.uk
T - 00 44 (0)845 6 58 88 35
F - 00 44 (0)845 6 58 44 35
More information about the TYPO3-english
mailing list