i have text box in my website. this text box give text value with form and post method.
this form search special text in database.
How can I be certain of the safety input data from sql injectin or xss.
Because of the nature of the ORM database style in Symfony2 you are naturally protected from SQL injection. Data that does not match the constraints set by your configuration or Validator class will be rejected before reaching the database anyways.
Data is automatically encoded before being passed into the Request Class. XSS is not possible because on both the receiving side and the outputting side the data is not in its RAW form unless you specify it to be, in which case you would negate the built in security anyways.
XSS in forms is not feasible because Symfony by default (when using the Form Class) will create CSRF tokens in your form submissions to validate the sender of the request. Unless you specifically disable them, they will generate automagically and be included in a hidden field.
The built in functionality of symfony is only a first step, the best practice is to use Data Transformers to ensure your data is of the format and type you expect it to be.
Data Transformers: http://symfony.com/doc/current/cookbook/form/data_transformers.html
Finally, on the note of SQL Injection, using the built-in Query builder or using the DQL language (if your using doctrine) is another layer of security to prevent injections when using highly customized queries.
Related
I am using extension library Rest controls ViewJsonservice to provide the data from Notes database, is there a easy way using same control I can provide the data from two databases, I can put the similar view from dbA to dbB
Short answer: no
Long answer:
I presume you want the data from 2 views available in a single endpoint. Either after each other (appended) or somehow merged.
You can do that using code. Check this article for basic info.
In a nutshell: use the ViewNavigator class in both databases to retrieve results and append or merge the data before you return it.
Nice side effect : you can return all the data.
How to access a connector / Data Base from the initial/instantiation Form/Page?
Hi every body, any help will be appreciated.
I try to access using the API Rest, but the method need the activyty/task id or the instance flow id.
This is because the connector stores its result in a proces/local/Busines data model or Variables,
but in the initial form I don't have an
instance of the flow/task/activity and I can't access to the variable that stores the value.
I need to use the connector to access data base and to the Ldap
to get some values to show in the initial form before instantiating the process.
Is there any way to call a Groovy Script from initial Form?, if there is,
I can access from that script to the data base, and save this value into a form variable, to show it in the form I think.
P.S.: I use Bonita 7.2
thanks!
Sounds like you have a chicken and egg problem.
Can you instantiate the process with minimal data, then use a connector out to populate the BDM with the connector data, and then make the first step of your process the "initial" form? At that point you then have the case, taskid, etc.
If the data is not task/case specific, you can access the BDM data via the REST API and a custom query - i.e. you're not just limited to the API's that require the case/task/instance, etc. However, you may need to get clever with how you isolate that record. For example, I have some global parameters that I keep in in the BDM, and access them within my form by requesting the first record in that table via the rest API:
I created a variable called "globals" of type "External API" with the following REST call that retrieves the record with persistenceId=1:
../API/bdm/businessData/com.company.model.GlobalParameters/1
In your case, you probably need to use a REST Api extensions. Basically, you can create a new REST Endpoint using Groovy script. There is a documentation available here: http://documentation.bonitasoft.com/rest-api-extensions-808
Cheers
I've found filter_var to be extremely useful in validating and sanitizing user input with PHP, but I've yet to find anything even remotely as convenient in ColdFusion (more specifically, CF8).
Obviously I can hack together something using REReplace, but that would take significantly more time to code up and would be much uglier than using the pre-defined filters available in PHP. Is there a more efficient way or do I just need to bite the bullet?
There are three different options available to you. Since you're attempting to manage user input, I assume you're using forms. isValid most closely mimics your functionality, allowing you to check if a value specified matches either a data type or a regular expression and returns true or false, and includes attributes by default to define a range. It does not support the ability to create a custom 'filter' beyond defining a regular expression however.
The second option would be using cfparam tags on your POST processing page, which allows you to specify the existance of a variable, test against a data type or define a regular expression, and optionally assign a default value if the variable doesn't exist. If you attempt to process a page where the field is not defined and no default value is assigned however, ColdFusion throws an error.
Finally, you can do validation by using cfform and cfinput fields on your form itself; which allows for client-side data validation for existence and types (it also supports server-side validation but it's implementation is sloppy), regular expressions, and input masking: taking user-inputted data and conforming it to a specific format (like adding dashes to phone numbers and zip codes).
I am designing an application that will display dynamically-generated forms to the user who will then enter values into the form fields and submit those values for persistence. The form represents an employee evaluation.
One use case allows an administrator (from HR) to define the form fields. They should be able to create a new form, add/remove fields from a form and mark a form as 'deleted'.
The second use case is when a manager views the form and enters values into the form fields for a specific employee. They should be able to save the values at any time and recall the saved values when viewing the form again for the same employee.
Finally, when the manager is satisfied with the values they've entered for that employee, they can 'submit' the form data which persists the flattened data into the data warehouse for reporting purposes. When this is done, the 'working' copy of the data is removed so the form will display empty the next time they view it for that employee.
I am not concerned with the front-end at this point and working on the back-end service application that sits between the client and the data store. The application must provide a course-grained interface for all of the behavior required.
My question is how many aggregate roots do I actually have (and from that, how many repositories, etc)? Do I separate the form definition from the form data even though I need both when displaying the form to the user?
I see two main entities, 'EmployeeEvaluationSchema' and 'EmployeeEvaluation'. The 'EmployeeEvaluationSchema' entity would have a collection of 'FieldDefinition' value objects which would contain the properties that define a field, the most basic being the name of the field. The 'EmployeeEvaluation' entity would have a collection of 'FieldValue' value objects which contain the values for each field from the definition. In the simplest case, it would have a field name and value property. Next, the 'EmployeeEvaluation' could have a reference to 'EmployeeEvaluationSchema' to specify which definition the particular evaluation is based on. This can also be used to enforce the form definition in each evaluation. You would have two repositories - one for each entity. If you were to use an ORM such as NHibernate, then when you retrieve a 'EmployeeEvaluation' entity, the associated 'EmployeeEvaluationSchema' would also be retrieved even though there is a dedicated repository for it.
From your description it sounds like your objects don't have any behavior and are simple DTOs. If that is the case maybe you should not bother doing DDD. Can you imagine your entities without having getters? There are better ways to do CRUDish application than DDD. Again this is only valid if your "domain" does not have relevant behavior.
I need validate multiple fields in the JavaScript Framework, but can't figure out how.
What kind of validation do you need?
Client side: you must use a Javascript validation framework. For example, this one is a good validation framework using jQuery.
Server side: you just need to use <f:validateXXX/> components. For exmaple, <f:validateLength minimum="2" maximum="8"/> will check that the field contains a value that has a size between 2 and 8 characters. Otherwise, it will throw an Exception. Note that there a few validator by default, and you will not be able to validate an email address, or something like that. However, it is really easy to develop your own validator...
Server side, using Ajax. This is almost the same thing as the previous type of validation, except that the validation is ajaxified, which means that a request will be sent to the server once the user fills a field, and then validate the field. This is usefull to check on the fly the value. The component library Richfaces offers such features.
JSF has validation framework that can be used for simple validations. Like mandatory, length, format etc.
In addition it allows you to write custom validators which are invoked for field validations once configured in myfaces file.
Also a bunch of fields can be grouped into "SubForms" which will let you validate several fields in a go. A seamless validation without page being submitted would require Ajax integration. (Richfaces is a good option)