I've attempted to add extra profile fields following the tutorial found here.http://hotarucms.org/showthread.php?226-Adding-Extra-Profile-Fields&highlight=profile+fields


Everything works fine, expect that when i click save the inputted web address doesn't actually save.

Okay I got it to save by changing

$profile['website'] = $h->cage->post->testUri('website');

to

$profile['website'] = $h->cage->post->getHtmLawed('website');

Is this the right way of doing this?

if it doesn't save it's probably not a valid uri and the function testUri('website') will return false instead of the uri.
to save any type of input you can use getRaw('website');

getHtmLawed('website'); is used for cleaning up html code. it might work but i dont think its the way to go.

testUri needs a full url with http:// on the front. As ties, said, if it doesn't work then it's not parsing as a valid url. getHtmLawed is the best alternative because it sanitizes the data.

htmLawed (http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/):

use to filter, secure & sanitize HTML in blog comments or forum posts, generate XML-compatible feed items from web-page excerpts, convert HTML to XHTML, pretty-print HTML, scrape web-pages, reduce spam, remove XSS code, etc.

Ok, but the demo @ http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/ didn't do much for a string without the http://
so im confused...

i'd do this if you really want the http://

<tr><td>Website: </td><td>http://<input type="text" name="website" value="<?php echo $profile['website']; ?>"></td></tr>
then (because some ppl just don't get it):
$profile['website'] = 'http://' . preg_replace('/^(http:\/\/)/', '', trim($h->cage->post->getRaw('website')));
But maybe im just stubborn...

Sorry ties, but my advice is still: Never use getRaw.

This from Coppermine Gallery, another script that uses Inspekt:


Care should be taken to as far as possible not use the getRaw() method - if it is used then please comment profusely as to why it is safe to use getRaw in the given circumstances (e.g.: the same value was tested against a regex before fetching or the value is sanitized immediately after getting). If there case where getRaw() cannot be avoided but is still unsafe please comment on possible solutions. Once again - the final aim is to NOT use getRaw() at all.

A hacker could register for your site, input some malicious code in the profile website field and who knows what might happen?

that sound like a good argument :eek:
its far more complicated than i thought...
maybe this is a solution, after doing som research:

$url = 'example.com';
if( filter_var($url, FILTER_VALIDATE_URL) ) echo $url;
else if(filter_var('http://'.$url, FILTER_VALIDATE_URL)) echo 'http://'.$url;
where url can be your sanitezed data, for the (good) sake of safety :)

I'm trying to add a drop-down list as one of the extra profile fields, I'm having a little bit of trouble getting this field to save, I'm pretty sure it has sometime to do with select name code

Here's what I have in the edit_profile.php:


$profile['fname'] = $h->cage->post->getHtmLawed('fname');
$profile['lname'] = $h->cage->post->getHtmLawed('lname');
$profile['email'] = $h->cage->post->getHtmLawed('email');
$profile['type'] = $h->cage->post->getHtmLawed('type');
$profile['twitter'] = $h->cage->post->testUri('twitter');
$profile['website'] = $h->cage->post->testUri('website');
$profile['bio'] = sanitize($h->cage->post->getHtmLawed('bio'), 'all');


<tr><td>First Name: </td><td><input name="fname" type="text" value="<?php echo $profile['fname']; ?>" size="35"></td></tr>
<tr><td>Last Name: </td><td><input name="lname" type="text" value="<?php echo $profile['lname']; ?>" size="35"></td></tr>
<tr><td>E-mail: </td><td><input name="email" type="text" value="<?php echo $profile['email']; ?>" size="35"></td></tr>
<tr><td>Twitter: </td><td><input name="twitter" type="text" value="<?php echo $profile['twitter']; ?>" size="35"></td></tr>
tr><td>Website: </td><td><input name="website" type="text" value="<?php echo $profile['website']; ?>" size="35"></td></tr>
<tr><td>About Me: </td><td><textarea cols=35 rows=3 name='bio'><?php echo $profile['bio']; ?></textarea></td></tr>
<tr><td>Profile Type: </td><td> <select name=""><option value="Player">Player</option><option value="Coach">Coach</option><?php echo $profile['type']; ?> </select> </td></tr>

And here is what i have in the profile.php file


<div id="profile_bio">

<table>
<tr><td>Full Name: </td><td><?php echo $profile['fname']; ?> <?php echo $profile['lname']; ?></td></tr>
<tr><td>E-mail: </td><td><?php echo $profile['email']; ?></td></tr>
<tr><td>Twitter: </td><td><a href="<?php echo $profile['twitter']; ?>"> <?php echo $profile['twitter']; ?></a></td></tr>
<tr><td>Website: </td><td><a href="<?php echo $profile['website']; ?>"> <?php echo $profile['website']; ?></a></td></tr>
<tr><td>Type: </td><td><?php echo $profile['type']; ?></td></tr>
<tr><td>About Me: </td><td><?php echo $profile['bio']; ?></td></tr>
</table>

</div>

<select name="type">
<?php
$profile_types = array("Player","Coach");
foreach($profile_types as $profile_type) {
if( $profile_type == $profile['type']) echo "<option value=\"$profile_type\" selected="selected">$profile_type</option>";
else echo "<option value=\"$profile_type\" >$profile_type</option>";
}
?>
</select>
Does this help?

Edited: made a typo
Edited 2: if you want to add profile type you can easily increase the array like this

profile_types = array("Player","Coach","Supporter","Referee","Another Type"); // etc etc etc

@angolanmade, you're using this:


$h->cage->post->getHtmLawed('profiletype');But you have nothing with the name "profiletype".

Nick thanks for catching that, I defined everything as $profile['profiletype'] and later switched it to $profile['type'] however that didnt seem to solve the issue

At Ties
Hmm, I tried your solution but as soon as i put that particular code in the edit_profile.php that page becomes inaccessible.

Heres the latest code in the edit_profile.php


$profile['type'] = $h->cage->post->getHtmLawed('type');



<tr><td>Profile Type: </td><td> <select name="type"> <?php $profile_types = array("Player","Coach","Referee");
foreach($profile_types as $profile_type) {
if( $profile_type == $profile['type']) echo "<option value=\"$profile_type\" selected="selected">$profile_type</option>";
else echo "<option value=\"$profile_type\" >$profile_type</option>";
}
?></select></td></tr>


<tr><td>Profile Type: </td><td><?php echo $profile['type']; ?></td></tr>

Just to be sure, what it should be:
$profile['fname'] = $h->cage->post->getHtmLawed('fname');
$profile['lname'] = $h->cage->post->getHtmLawed('lname');
$profile['email'] = $h->cage->post->getHtmLawed('email');
$profile['type'] = $h->cage->post->getHtmLawed('type');
$profile['twitter'] = $h->cage->post->testUri('twitter');
$profile['website'] = $h->cage->post->testUri('website');
$profile['bio'] = sanitize($h->cage->post->getHtmLawed('bio'), 'all');

<tr>

<td>First Name: </td><td><input name="fname" type="text" value="<?php echo $profile['fname']; ?>" size="35"></tr>
</tr>
<tr>

<td>Last Name: </td><td><input name="lname" type="text" value="<?php echo $profile['lname']; ?>" size="35"></td></tr>
<tr>

<td>E-mail: </td><td><input name="email" type="text" value="<?php echo $profile['email']; ?>" size="35"></td></tr>
<tr>

<td>Twitter: </td><td><input name="twitter" type="text" value="<?php echo $profile['twitter']; ?>" size="35"></td></tr>
<tr>
<td>Website: </td><td><input name="website" type="text" value="<?php echo $profile['website']; ?>" size="35"></td></tr>
<tr>

<td>About Me: </td><td><textarea cols=35 rows=3 name='bio'><?php echo $profile['bio']; ?></textarea></td></tr>
<tr>

<td>Profile Type: </td><td>
<select name="type">
<?php
$profile_types = array("Player","Coach");
foreach($profile_types as $profile_type) {
if( $profile_type == $profile['type']) echo "<option value=\"$profile_type\" selected=\"selected\">$profile_type</option>";
else echo "<option value=\"$profile_type\" >$profile_type</option>";
}
?>
</select>
</td></tr>

nvm that was when i created the post i fixed it before submitting... its late im going to bed

You can also change

$h->cage->post->getHtmLawed('email');

to


$h->cage->post->testEmail('email');

Still no luck, the page is inaccessible after adding the select name, here's what I have:
Heres the error with debug mode on:

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /content/themes/new-theme/users_edit_profile.php on line 70


// get updated fields.
if ($h->cage->post->getAlpha('edited_profile') == 'true') {

$profile['fname'] = $h->cage->post->getHtmLawed('fname');
$profile['lname'] = $h->cage->post->getHtmLawed('lname');
$profile['email'] = $h->cage->post->testEmail('email');
$profile['twitter'] = $h->cage->post->testUri('twitter');
$profile['website'] = $h->cage->post->testUri('website');
$profile['type'] = $h->cage->post->getHtmLawed('type');
$profile['bio'] = sanitize($h->cage->post->getHtmLawed('bio'), 'all');


<div id="users_edit_profile" class="users_content">

<h2><?php echo $h->lang["users_profile_edit"]; ?>: <?php echo $h->vars['user']->name; ?></h2>

<?php echo $h->showMessage(); ?>

<form name='edit_profile_form' class='users_form' action='<?php echo $h->url(array('page'=>'edit-profile', 'user'=>$h->vars['user']->name)); ?>' method='post'>
<table>
<tr><td>First Name: </td><td><input name="fname" type="text" value="<?php echo $profile['fname']; ?>" size="35"></td></tr>
<tr><td>Last Name: </td><td><input name="lname" type="text" value="<?php echo $profile['lname']; ?>" size="35"></td></tr>
<tr><td>E-mail: </td><td><input name="email" type="text" value="<?php echo $profile['email']; ?>" size="35"></td></tr>
<tr><td>Twitter: </td><td><input name="twitter" type="text" value="<?php echo $profile['twitter']; ?>" size="35"></td></tr>
<tr><td>Website: </td><td><input name="website" type="text" value="<?php echo $profile['website']; ?>" size="35"></td></tr>
<tr><td>About Me: </td><td><textarea cols=35 rows=3 name='bio'><?php echo $profile['bio']; ?></textarea></td></tr>
<tr><td>Profile Type: </td><td> <select name="type"> <?php $profile_types = array("Player","Coach"); foreach($profile_types as $profile_type) { if( $profile_type == $profile['type']) echo "<option value=\"$profile_type\" selected="selected">$profile_type</option>"; else echo "<option value=\"$profile_type\" >$profile_type</option>"; } ?> </select> </td></tr>

<?php // Add your own profile fields here. Use tr and td tags. ?>

<?php $h->pluginHook('user_edit_profile_extras'); ?>

<tr><td>&nbsp;</td><td style='text-align:right;'><input type='submit' class='submit' value='<?php echo $h->lang['users_profile_edit_update']; ?>' /></td></tr>
</table>
<input type='hidden' name='edited_profile' value='true' />
<input type='hidden' name='csrf' value='<?php echo $h->csrfToken; ?>' />
</form>
</div>



<div id="profile_bio">

<table>
<tr><td>Full Name: </td><td><?php echo $profile['fname']; ?> <?php echo $profile['lname']; ?></td></tr>
<tr><td>E-mail: </td><td><?php echo $profile['email']; ?></td></tr>
<tr><td>Twitter: </td><td><a href="<?php echo $profile['twitter']; ?>"> <?php echo $profile['twitter']; ?></a></td></tr>
<tr><td>Website: </td><td><a href="<?php echo $profile['website']; ?>"> <?php echo $profile['website']; ?></a></td></tr>
<tr><td>About Me: </td><td><?php echo $profile['bio']; ?></td></tr>
<tr><td>Profile Type: </td><td><?php echo $profile['type']; ?></td></tr>
</table>

</div>

Don't know which line is line 70, but I can see you haven't escaped the quotes in selected="selected" on the profile type line.

Line 70 is exactly this:


<tr><td>Profile Type: </td><td> <select name="type"> <?php $profile_types = array("Player","Coach","Referee","Media","Fan","Other"); foreach($profile_types as $profile_type) { if( $profile_type == $profile['type']) echo "<option value=\"$profile_type\" selected=\"selected\">$profile_type</option>"; else echo "<option value=\"$profile_type\" >$profile_type</option>"; } ?> </select> </td></tr>

I think I solved the issue by using using the escape characters as they were missing in @ties suggestions

Thank you again!

Don't know which line is line 70, but I can see you haven't escaped the quotes in selected="selected" on the profile type line.
sry my bad

I just noticed that after adding these extra fields to a user profile page, If I click on a user profile who has yet to update/modify their profile fields I get the following notice with the debug mode on. If i then click on edit profile and edit an of the fields the notices disappear. Any suggestions


Full Name:
Notice: Undefined index: fname in /content/themes/new-buzz/users_profile.php on line 47

Notice: Undefined index: lname in /content/themes/new-buzz/users_profile.php on line 47
E-mail:
Notice: Undefined index: email in /content/themes/new-buzz/users_profile.php on line 48
Twitter:
Notice: Undefined index: twitter in /content/themes/new-buzz/users_profile.php on line 49
Website:
Notice: Undefined index: website in /content/themes/new-buzz/users_profile.php on line 50
About Me: No introduction yet.
Profile Type:
Notice: Undefined index: type in /content/themes/new-buzz/users_profile.php on line 52

Those lines are in reference to this particular code


<div id="profile_bio">
<table>
<tr><td>Full Name: </td><td><?php echo $profile['fname']; ?> <?php echo $profile['lname']; ?></td></tr>
<tr><td>E-mail: </td><td><?php echo $profile['email']; ?></td></tr>
<tr><td>Twitter: </td><td><a href="<?php echo $profile['twitter']; ?>"> <?php echo $profile['twitter']; ?></a></td></tr>
<tr><td>Website: </td><td><a href="<?php echo $profile['website']; ?>"> <?php echo $profile['website']; ?></a></td></tr>
<tr><td>About Me: </td><td><?php echo $profile['bio']; ?></td></tr>
<tr><td>Profile Type: </td><td><?php echo $profile['type']; ?></td></tr>
</table>

</div>

Take a look at this post (http://hotarucms.org/showthread.php?226-Adding-Extra-Profile-Fields&p=2519&viewfull=1#post2519) I added to the documentation recently.