next »

[hardboiled]

Is there any way to populate a MakeForm object from $_POST?

For example: You submit a form, validate it, if it's valid then you 'processForm'. But if it's not valid, you just want to show the form again, except this time you want to keep all those user-changed field values from the $_POST array.

I tried using fromArray directly, but that didn't work:

Code:

$WebUserForm->fromArray($WebUser,$_POST);

[hardboiled]

I got around the problem by creating a Class that extends MakeForm. The new class has a duplicate of the method processForm, but with this one line removed:

Code:

$success= $object->save();

I must say it still feels a bit strange updating every property of an object with the entire $_POST array without any kind of checking.

Wouldn't malicious users be able to update, for example, the username and password of a WebUser, even though the form has no input fields for those?

I guess the alternative is to manually update the entire object with just the variables you want.

Is there a compromise?

[OpenGeek]

I got around the problem by creating a Class that extends MakeForm. The new class has a duplicate of the method processForm, but with this one line removed:

Code:

$success= $object->save();

I must say it still feels a bit strange updating every property of an object with the entire $_POST array without any kind of checking.

Wouldn't malicious users be able to update, for example, the username and password of a WebUser, even though the form has no input fields for those?

I guess the alternative is to manually update the entire object with just the variables you want.

Is there a compromise?

I don't think of it as a need to compromise, but rather as having a choice depending on the task at hand.  You can always remove unwanted $_POST variables very easily, and still have the convenience of using the $_POST var.  You can also apply stringent validation in your schema and/or via API.

Also, why wouldn't you just create the form from the object in both cases, which is loaded from the database always, and overridden from the POST using fromArray() when a POST is made?  This way you don't have to extend the MakeForm class.

[hardboiled]

Jason, while removing $_POST variables is easy in principle, there is a catch: MakeForm likes to name variables in the form Class-Key-Value-FieldName, so you end up having to do a fairly complex check. I would have to keep track of Class as well as FieldName. I'm already doing the latter so I guess I must now do the former?

[OpenGeek]

TBH, I rarely use MakeForm anymore and am considering removing it from xPDO altogether; I find it's much easier for me to just have someone build a form exactly how they want it, and process the objects as needed with fromArray(), validate(), and save().  That said, if someone is interested in improving MakeForm, I think it would still make a very useful add-on to MODx.

[Mortal]

    
I am newbie and I'm learning here with you
I have my tables and take advantage of personalized power Modx Revolution and xPDO.

If you use a Form jQuery plugins. Is not I'm going to skip the safety of Modx?

Are there any examples of a form for a custom base in Revolutuion?

An add-on would be great. but I am not afraid to "fromArray (), validate (), and save ()".

[hardboiled]

TBH, I rarely use MakeForm anymore and am considering removing it from xPDO altogether...

That's quite telling, Jason. For me, MakeForm is really only worth using for the buildForm() method. Without that, we're reduced to doing forms the long, hard, old-fashioned way. And wouldn't you still need to create a Class that generates form fields (select lists, checkboxes etc) and populates them from the DB and $_POST?

Aren't we using a framework to try and avoid all that drudgery?

Although I'll admit I've had a hard time working around MakeForms quirks ($_POST filtering, select lists etc).

[rthrash]

For a truly functional form class, it's going to take a lot of different form output iterations and a lot of different baseline formatting chunk tpls. Of course this could all be placed into property sets so it would be relatively painless now with Revo but there's a lot to consider. I think what Jason was honestly hoping is that someone would pick up where it left off and continue to improve MakeForm.

[OpenGeek]

For a truly functional form class, it's going to take a lot of different form output iterations and a lot of different baseline formatting chunk tpls. Of course this could all be placed into property sets so it would be relatively painless now with Revo but there's a lot to consider. I think what Jason was honestly hoping is that someone would pick up where it left off and continue to improve MakeForm.

That is correct Ryan, and it needs to be part of MODx anyway, not xPDO, since it handles rendering forms in a way specific to MODx.