My first post here, I have always found the help I needed in previously asked questions ,thanks, but I'm stumped this time so here goes.
I'm still a novice relatively speaking to people on here, but I have developed a joomla 2.5 component and I need to store data in AES encrypted format.
Ok so for saving the data, I've done this by overriding the prepareTable function in the model when saving the data, and that works very well.
But where is the best place to decrypt the data when loading it back into the user forms?
For the list views I can just call my own decrypt function in the view or even the layout and that's ok too.
But when I go to actually edit an individual record, using the standard joomla myform.xml the data is loaded into the formfields unencrypted.
I need to override some built in part of Joomla so that I can decrypt the data before it is populated into the form fields.
Can anyone please advise what function I can override to change the data before it is displayed in the form.
Maybe I've missed something obvious but what I am looking for is the same as prepareTable but for loading data, rather than saving it.
Thanks in advance for any help.
Solved, with Elin's suggestion.
When saving data I encrypt the data using a php function in the override of prepareTable.
Then for reading the data back into the form I extend the JFormField to JFormFieldAes adding the decrypt logic in the getInput function.
For custom Select form fields I use the same logic but put it in the getOptions function.
I now have the ability to encrypt any fields I choose without having to use any database encryption. It was quick and easy in the end.
Related
I was wondering if I can somehow access twig in action to use it's escaping function? I need this because I am converting text with markdown and will need to show it raw in templates, but want to escape it before I save it.
Can I access twig service somehow and what function would I call?
It's a bad idea to modify user input before persisting it. You should persist it as is and transform on output. If you are concerned about the performance of this approach, caching is the answer.
The reason for this is that if you have a bug in your transormation logic or decide later to change it, you'll be in a trouble if you persist the transformed input.
BTW, take a look at a markdown bundle.
Background: I have a complex search form that stores the query and it's hash in a cache. Once the cache is set, I redirect to something like /searchresults/e6c86fadc7e4b7a2d068932efc9cc358 where that big long string on the end is the md5 hash of my query. I need to make a new argument for views to know what the hash is good for.
The reason for all this hastle is because my original search form is way to complex and has way to many arguments to consider putting them all into the path and expecting to do the filtering with the normal views arguments.
Now for my question. I have been reading views 2 documentation but not figuring out how to accomplish this custom argument. It doesn't seem to me like this should be as hard as it seems to me like it must be. Leaving aside any knowledge of the veiws api, it would seem that all I need is a callback function that will take the argument from the path as it's only argument and return a list of node id's to filter to.
Can anyone point me to a solution or give me some example code?
Thanks for your help! You guys are great.
PS. I am pretty sure that my design is the best I can come up with, lets don't get off my question and into cross checking my design logic if we can help it.
It's not as easy as you would like to make it.
In views, arguments are used to return objects, fx user, node, term, custom object. So you could make some custom code, to get the "query object". That would only be first step. You then need to get the info from the query object. You could either try making a custom relationship bond with the nodes or build your own filter to make the SQL needed. This can quickly become a confusing time sink.
Instead, I would suggest that you use hook_views_query_alter, which will allow you to alter the query. Since you already have the SQL, it's just a matter of checking for the hash, and if it's there, alter the query. Should be a pretty simple thing to do. Only thing that is a bit tricky, is that you have to make the query with the query object that views uses, but it's not that hard to figure out.
I'm sorry for maybe making such a basic question but in ASP.NET websites what does the __VIEWSTATE input field represent?
Also, is there any way to compute it's value (based on the values of other form fields)?
EDIT
I understand that __VIEWSTATE, as the name suggests, maintains the values of form field values in webpages however what I'm interested in knowing is how this state (the string) is generated. If I base64_decode any __VIEWSTATE string all I see is a bunch of cryptic HTML.
Is there any way to better understand what exactly is being encoded? I've searched on past questions and I've found some tools that can do this like this one, but unfortunately it doesn't seem to work.
The reason I'm asking this is because I've access to a web service API that gives me most of the values I need to work with. However I also need an additional field that is only available on the last stage of the form. I already contacted the web service provider but unfortunately and they're not going to update their API so soon. I was hoping I could prefill the form initial values using the web service data and then calculate the __VIEWSTATE to access the last field that shows up on the last stage of the form, it would make the whole process a lot faster.
Not sure if I made myself clear enough though...
Paul Wilson has a very good article: ViewState: All You Wanted to Know
VIEWSTATE can be deserialized with the LosFormatter class.
A quick Google search answers the question:
http://msdn.microsoft.com/en-us/library/ms972976.aspx
First sentence:
Microsoft® ASP.NET view state, in a
nutshell, is the technique used by an
ASP.NET Web page to persist changes to
the state of a Web Form across
postbacks.
If you really want to understand it well, see Dave Reed's article about ViewState.
Do take a look at the biter script posted at http://forums.techarena.in/windows-software/1329157.htm.
That script shows how to set up and use __ViewState and other .NET variables.
That script logs into a .NET site, and gets stock values, without going thru a browser. Instead of user doing it manually, the script does it programmatically.
What do you mean by compute it's value?
Assume that it is a compressed (actually Base64 encoded) pair of your form fields/values in text form, which gets serialized into server side objects for you to work with.
The easiest way of doing this in Razor is putting this on a view:
#{
throw new Exception();
}
We got a long-running website where XSS lurks. The problem comes from that some developers directly - without using HtmlEncode/Decode() - retrieve Request["sth"] to do the process, putting on the web.
I wonder if there is any mechanism like HTTPModule to help us HtmlEncode() all the items in a Http request to avoid XSS to some extent.
Appreciate for any suggestion.
Rgds,
Ricky
The problem is not retrieving Request data without HTML-encoding. In fact that's perfectly correct. You should not encode any text until the final output stage when you spit it into an HTML page.
Trying to blanket-encode incoming parameters, whether that's HTML-encoding or SQL-encoding, is totally the wrong thing. It may hide XSS holes in your app but it does not fix them. You will still have a hole if you output content that hasn't come from parameters, or has been processed since then. Meanwhile the automatic encoding will fill your database with multiply-escaped & crud.
You need to fix the output stage, that's where the problem lies.
Like bobince said, this is an output problem, not an input problem. If you can isolate where this data is being output on the page, you could create a Filter and add it to the Response object. This filter would isolate the areas that are common output and then HtmlEncode them.
I'm looking for a bit of advice with regards to the structure of an application I'm tasked with.
I need to have a series of webforms to store some data, most of the data is the same but each form would have some differeing data depending on the form used.
Would a base class then a series of classes inheriting from this for the specific data be best to use?
As in:
order - compAOrder
- compBOrder
- compCOrder
How about strucuting the database for this sort of application structure?
The answer to this kind of question is allways "It depends" but here is a possible solution:
Program the system with a single web page for form data input.
Use a query string value to identify which form it is.
Hide and enable fields depending upon which form it is.
Have a single data table that has all the possible fields.
Hope this helps
Shiraz
I eventually went with a catch-all table with all the fields and different forms.