The subtleties when working with Sanitize in conjunction with save
Good day, dear% username%. I would like to tell you about one interesting feature of working with the Sanitization class. This class is part of the core of the great CakePHP framework and is designed to “clean” incoming data. For example, it can be, it is necessary to use it to “clear” the data transmitted by the user before saving to the database. Official documentation and usage examples are here book.cakephp.org/view/1183/Data-Sanitization . I strongly recommend that every developer using CakePHP become familiar with this class.
But Sanitize has one feature that is not documented and it took a lot of time for the author to ascertain. I would like to tell you more about it. Although if you sit down and think hard, then this is not a feature or a snag, you just need to be careful and everything turns out to be understandable, simple and obvious. Sanitize has 4 static methods:
In this case, we are most interested in the clean method. Sanitize :: clean (mixed $ data, mixed $ options) takes two parameters $ data - an array and a set of options for cleaning (or, if necessary, filtering rules)
Each of these rules is applied recursively to each element of $ data. Consider this with a live example:
we have a comment table (id, first_name, last_name, email, comment)
Comment model
Comments controller with add and view methods
Let's start with the controller function to add a comment
like nothing out of the ordinary and incomprehensible.
What will add the first comment
look what happened
so stop stop stop, where did the second slash in the last_name field come from? Maybe this is a display error?
Let's see how the data in the database.
So quotes were coded, this is understandable. But where does this second slash come from in the last_nme field ?? You and I,%% username, know perfectly well that when escaping, the screen slashes are added to the line (sorry for tautology), but they are present in the line only until they hit the base. In other words, the escape characters never enter the base. But what happened in this case? Let's figure it out! To do this, remove the add redirect method on the defaul action (comment out the line $ this-> redirect ('/ comments /');), enter the same data and see what happens. We look at the add request:
As we remember Sanitize clears the data before saving to the database. So part of the characters was escaped. Escaping slashes are not recorded in the database, this is understandable. In our case, we have 4 characters "\" two of them hit the base, the rest were shielding. It is assumed that the line was escaped twice. In fact, the way it is. If you delve into the source code of the save method (and if you just think well), then we may find that Model-> save () also escapes the string before saving. Thus, if you use save + Sanitize in a bundle, disable the escape option in our case.
Thanks to everyone who read to this place. I don’t know, but I myself think that this is an article from the section “Oh, hi guys, I discovered America yesterday”. So let it be so, but I still think that this is a subtlety about which a novice (poorly reading documentation) can seriously stumble. With great attention I will listen to any comments and suggestions.
But Sanitize has one feature that is not documented and it took a lot of time for the author to ascertain. I would like to tell you more about it. Although if you sit down and think hard, then this is not a feature or a snag, you just need to be careful and everything turns out to be understandable, simple and obvious. Sanitize has 4 static methods:
- Sanitize :: paranoid - removes "extra" characters from the string
- Sanitize :: html - cuts html
- Sanitize :: escape - escapes a string before adding to the database
- Sanitize :: clean - “cleans” the transferred array.
In this case, we are most interested in the clean method. Sanitize :: clean (mixed $ data, mixed $ options) takes two parameters $ data - an array and a set of options for cleaning (or, if necessary, filtering rules)
- odd_spaces
- encode
- dollar
- carriage
- unicode
- escape
- backslash
Each of these rules is applied recursively to each element of $ data. Consider this with a live example:
we have a comment table (id, first_name, last_name, email, comment)
Comment model
Comments controller with add and view methods
Let's start with the controller function to add a comment
public function add() { // $_POST if (isset($this->data['Comment']) and !empty($this->data['Comment']) ) { App::import('Sanitize'); // "" $this->data = Sanitize::clean($this->data); $this->Comment->set($this->data); // if ($this->Comment->validates()) { // if($this->Comment->save()){ $this->redirect('/comments/'); } } } } like nothing out of the ordinary and incomprehensible.
Sanitize::clean($this->data) as we see, we used all the filters available with this method.What will add the first comment
look what happened
so stop stop stop, where did the second slash in the last_name field come from? Maybe this is a display error?
Let's see how the data in the database.
So quotes were coded, this is understandable. But where does this second slash come from in the last_nme field ?? You and I,%% username, know perfectly well that when escaping, the screen slashes are added to the line (sorry for tautology), but they are present in the line only until they hit the base. In other words, the escape characters never enter the base. But what happened in this case? Let's figure it out! To do this, remove the add redirect method on the defaul action (comment out the line $ this-> redirect ('/ comments /');), enter the same data and see what happens. We look at the add request:
INSERT INTO `comments` (`first_name`, `last_name`, `email`, `comment`) VALUES ('Lorem ' ipsum "', 'Aliquam\\\\ut/metus', 'consectetur@amet.sit', 'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus posuere, lectus vel mollis laoreet, mauris est vehicula tortor, non tincidunt purus turpis id ligula. Ut gravida scelerisque nisi in auctor. Sed fringilla eleifend massa in mattis. Suspendisse potenti.') As we remember Sanitize clears the data before saving to the database. So part of the characters was escaped. Escaping slashes are not recorded in the database, this is understandable. In our case, we have 4 characters "\" two of them hit the base, the rest were shielding. It is assumed that the line was escaped twice. In fact, the way it is. If you delve into the source code of the save method (and if you just think well), then we may find that Model-> save () also escapes the string before saving. Thus, if you use save + Sanitize in a bundle, disable the escape option in our case.
$this->data = Sanitize::clean($this->data,array('escape' => false)); But if you use the Model-> query () methods for writing data and the Sanitize escape option must be enabled.Thanks to everyone who read to this place. I don’t know, but I myself think that this is an article from the section “Oh, hi guys, I discovered America yesterday”. So let it be so, but I still think that this is a subtlety about which a novice (poorly reading documentation) can seriously stumble. With great attention I will listen to any comments and suggestions.
')
Source: https://habr.com/ru/post/112179/
All Articles