Extra Profile Fields Not Saving

[angolanmade]

I've attempted to add extra profile fields following the tutorial found here.http://hotarucms.org/showthread.php?...profile+fields


Everything works fine, expect that when i click save the inputted web address doesn't actually save.

[angolanmade]

Okay I got it to save by changing

$profile['website'] = $h->cage->post->testUri('website');

to

$profile['website'] = $h->cage->post->getHtmLawed('website');

Is this the right way of doing this?

[ties]

if it doesn't save it's probably not a valid uri and the function testUri('website') will return false instead of the uri.
to save any type of input you can use getRaw('website');

getHtmLawed('website'); is used for cleaning up html code. it might work but i dont think its the way to go.

[Nick]

testUri needs a full url with http:// on the front. As ties, said, if it doesn't work then it's not parsing as a valid url. getHtmLawed is the best alternative because it sanitizes the data.

htmLawed:

use to filter, secure & sanitize HTML in blog comments or forum posts, generate XML-compatible feed items from web-page excerpts, convert HTML to XHTML, pretty-print HTML, scrape web-pages, reduce spam, remove XSS code, etc.

[ties]

Ok, but the demo @ http://www.bioinformatics.org/phplab...ties/htmLawed/ didn't do much for a string without the http://
so im confused...

[ties]

i'd do this if you really want the http://

HTML Code:

<tr><td>Website: </td><td>http://<input type="text" name="website" value="<?php echo $profile['website']; ?>"></td></tr>

then (because some ppl just don't get it):

Code:

$profile['website'] = 'http://' . preg_replace('/^(http:\/\/)/', '', trim($h->cage->post->getRaw('website')));

But maybe im just stubborn...

[Nick]

Sorry ties, but my advice is still: Never use getRaw.

This from Coppermine Gallery, another script that uses Inspekt:

Care should be taken to as far as possible not use the getRaw() method - if it is used then please comment profusely as to why it is safe to use getRaw in the given circumstances (e.g.: the same value was tested against a regex before fetching or the value is sanitized immediately after getting). If there case where getRaw() cannot be avoided but is still unsafe please comment on possible solutions. Once again - the final aim is to NOT use getRaw() at all.

A hacker could register for your site, input some malicious code in the profile website field and who knows what might happen?

[ties]

that sound like a good argument
its far more complicated than i thought...
maybe this is a solution, after doing som research:

Code:

$url = 'example.com';
if( filter_var($url, FILTER_VALIDATE_URL) ) echo $url;
else if(filter_var('http://'.$url, FILTER_VALIDATE_URL)) echo 'http://'.$url;

where url can be your sanitezed data, for the (good) sake of safety

[angolanmade]

I'm trying to add a drop-down list as one of the extra profile fields, I'm having a little bit of trouble getting this field to save, I'm pretty sure it has sometime to do with select name code

Here's what I have in the edit_profile.php:

Code:

$profile['fname'] = $h->cage->post->getHtmLawed('fname');
	$profile['lname'] = $h->cage->post->getHtmLawed('lname');
	$profile['email'] = $h->cage->post->getHtmLawed('email');
	$profile['type'] = $h->cage->post->getHtmLawed('type');
	$profile['twitter'] = $h->cage->post->testUri('twitter');
	$profile['website'] = $h->cage->post->testUri('website');
	$profile['bio'] = sanitize($h->cage->post->getHtmLawed('bio'), 'all');

Code:

 <tr><td>First Name: </td><td><input name="fname" type="text" value="<?php echo $profile['fname']; ?>" size="35"></td></tr> 
    <tr><td>Last Name: </td><td><input name="lname" type="text" value="<?php echo $profile['lname']; ?>" size="35"></td></tr>
    <tr><td>E-mail: </td><td><input name="email" type="text" value="<?php echo $profile['email']; ?>" size="35"></td></tr>  
    <tr><td>Twitter: </td><td><input name="twitter" type="text" value="<?php echo $profile['twitter']; ?>" size="35"></td></tr>
     tr><td>Website: </td><td><input name="website" type="text" value="<?php echo $profile['website']; ?>" size="35"></td></tr>
    <tr><td>About Me: </td><td><textarea cols=35 rows=3 name='bio'><?php echo $profile['bio']; ?></textarea></td></tr>
   <tr><td>Profile Type: </td><td> <select name=""><option value="Player">Player</option><option value="Coach">Coach</option><?php echo $profile['type']; ?> </select> </td></tr>

And here is what i have in the profile.php file

Code:

<div id="profile_bio">

<table> 
    <tr><td>Full Name: </td><td><?php echo $profile['fname']; ?> <?php echo $profile['lname']; ?></td></tr> 
    <tr><td>E-mail: </td><td><?php echo $profile['email']; ?></td></tr>
    <tr><td>Twitter: </td><td><a href="<?php echo $profile['twitter']; ?>"> <?php echo $profile['twitter']; ?></a></td></tr> 
    <tr><td>Website: </td><td><a href="<?php echo $profile['website']; ?>"> <?php echo $profile['website']; ?></a></td></tr>
    <tr><td>Type: </td><td><?php echo $profile['type']; ?></td></tr>
    <tr><td>About Me: </td><td><?php echo $profile['bio']; ?></td></tr>
</table>
    	
</div>

[ties]

Code:

<select name="type">
<?php
$profile_types = array("Player","Coach");
foreach($profile_types as $profile_type) {
    if( $profile_type == $profile['type']) echo "<option value=\"$profile_type\" selected="selected">$profile_type</option>";
    else echo "<option value=\"$profile_type\" >$profile_type</option>";
}
?>
</select>

Does this help?

Edited: made a typo
Edited 2: if you want to add profile type you can easily increase the array like this

Code:

profile_types = array("Player","Coach","Supporter","Referee","Another Type"); // etc etc etc