Serverside validating form block
Permalink
Hello,
This is a server side validating form block I wrote for my contact page (for C 5.4.0.5 which I use now).
I didn't want to "waste" time writing this but I ended up wasting about 4 days searching for one and testing to no avail. I did find a contact_form block, but I think it was for some old version or something I just couldn't make it install.
Note that I am a first time user of C5, it's only been a few weeks since I migrated my site from joomla and my contact page was one of the things that needed a quick and urgent fix.
I don't know about others, but even with reCaptcha (on the joomla version) I was still getting quite a bit of spam through that page. I used chronoforms for that case which provided server side validation but I couldn't find anything that would do the same for latest C5.
So I ended up taking the form block and adding validation to it.
I didn't delete the logging I used, but it is commented, just in case I or anybody else needs it. Feel free to remove that.
Also, I renamed whatever needed to be renamed in order to make the new block work ok. I tried to do the minimal renaming, so you won't be able to use this block with the form block on the same page as they will share the questions (well, not in DB but in $_POST, at request time). Of course, this issue only kicks in if for some reason the form does not get submitted (error in validation or required field not filled in) in which case both forms (form and validating_form) on the page will share and display the same data. I tested, wanted to fix, but in the end there were too many things to be changed).
BIG NOTE: this note should probably be a bugreport: some of the table names in the block are hardcoded instead of using the defined constants. I obviously had to fix this in order to make things "right". So if somebody from the core would like to port those fixes ...
The validation is done by calling php eval() function. The variable $message is created prior to that for easy/short access to the actual message to be validated.
No <? ?> is required in the validation code. Everything else regarding eval() should be taken into consideration to minimize or even eliminate the possibility for injection attacks. In my case, I am the only person able to create forms on my server so this is not an issue, but if you allow your users to create validating forms ... better wait for next version or write some sanitizing code yourself.
I did add a note where the sanitization should be done in case anybody else finds the time to do it. Don't count on me though, as I'm very busy. I have a project waiting for me to start on it since almost 2 years so consider this block as-is with no planned updates from my part in the near future. Though fixes are welcome :)
How to use: create your form as you would normally do. When you add a question you'll find an extra text field, Validation code, where you can enter your desired php code to do the validation.
If you consider that validation was successful, then do nothing. If you consider it failed, return a proper error message.
If anybody knows a working way to get the php error/warning messages from eval(), I'd be grateful (yes, this is the first time I use eval() and yes, I'm a rather noob php developer. But I do have an extensive developing experience)
Long story short, find the patch between validating_form and form blocks plus the validating_form block zip attached.
If you find any bugs, don't hesitate to let me know. I make time for those :)
This is a server side validating form block I wrote for my contact page (for C 5.4.0.5 which I use now).
I didn't want to "waste" time writing this but I ended up wasting about 4 days searching for one and testing to no avail. I did find a contact_form block, but I think it was for some old version or something I just couldn't make it install.
Note that I am a first time user of C5, it's only been a few weeks since I migrated my site from joomla and my contact page was one of the things that needed a quick and urgent fix.
I don't know about others, but even with reCaptcha (on the joomla version) I was still getting quite a bit of spam through that page. I used chronoforms for that case which provided server side validation but I couldn't find anything that would do the same for latest C5.
So I ended up taking the form block and adding validation to it.
I didn't delete the logging I used, but it is commented, just in case I or anybody else needs it. Feel free to remove that.
Also, I renamed whatever needed to be renamed in order to make the new block work ok. I tried to do the minimal renaming, so you won't be able to use this block with the form block on the same page as they will share the questions (well, not in DB but in $_POST, at request time). Of course, this issue only kicks in if for some reason the form does not get submitted (error in validation or required field not filled in) in which case both forms (form and validating_form) on the page will share and display the same data. I tested, wanted to fix, but in the end there were too many things to be changed).
BIG NOTE: this note should probably be a bugreport: some of the table names in the block are hardcoded instead of using the defined constants. I obviously had to fix this in order to make things "right". So if somebody from the core would like to port those fixes ...
The validation is done by calling php eval() function. The variable $message is created prior to that for easy/short access to the actual message to be validated.
No <? ?> is required in the validation code. Everything else regarding eval() should be taken into consideration to minimize or even eliminate the possibility for injection attacks. In my case, I am the only person able to create forms on my server so this is not an issue, but if you allow your users to create validating forms ... better wait for next version or write some sanitizing code yourself.
I did add a note where the sanitization should be done in case anybody else finds the time to do it. Don't count on me though, as I'm very busy. I have a project waiting for me to start on it since almost 2 years so consider this block as-is with no planned updates from my part in the near future. Though fixes are welcome :)
How to use: create your form as you would normally do. When you add a question you'll find an extra text field, Validation code, where you can enter your desired php code to do the validation.
If you consider that validation was successful, then do nothing. If you consider it failed, return a proper error message.
If anybody knows a working way to get the php error/warning messages from eval(), I'd be grateful (yes, this is the first time I use eval() and yes, I'm a rather noob php developer. But I do have an extensive developing experience)
Long story short, find the patch between validating_form and form blocks plus the validating_form block zip attached.
If you find any bugs, don't hesitate to let me know. I make time for those :)
