Multipart forms and getDataFromInput method (pnObjectUtil) :: Zikula Community

Get Zikula 1.3.3!New core, modules & more

Quick Links

Donate Today!Support your Software

Documentationlearn, share & develop

Watch

GitHub Core

Show your support for Zikula! Sign up at Github account and watch the Core project!

GitHub Modules

Forum Activity

internetking created topic »password problem« 25. May
mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
ehdwma created topic »Hide "Register new account" and change template to 3 col« 25. May
mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
mdee created topic »How to implement returnpage ?« 25. May
nestormateo responded to »Fillters in Clip« 24. May

» Visit forum | » View latest posts

Zikula Blog

Anatomy of Open Source Projects on Mar 07
Continuous Review on Mar 01
Not Invented Here on Feb 24
How to Contribute Your Code at Github on Jan 13
10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
Submitting Bug Report Tickets That Get Results on Aug 17
Cozi Tricks #1: Syntax Highlighting on Aug 07

Multipart forms and getDataFromInput method (pnObjectUtil)

Print topic

uheweb

Rank: Helper

Registered: Sep 16, 2004

Last visit: Oct 21, 2009

Posts: 731
Posted: Aug 07, 2007 - 11:21 PM

An object in a module that has some database data and an image file (saved on the server), I had the data portion working fine with PNObjectUtil. The form submitted, the class initiated and a call to getDataFromInput() fetched the data and allowed some postprocessing and an eventual object save.

THEN added an input type FILE, and thereby had to change the form type to multipart/form-data rather than application/x-www-form-urlencoded

As soon as I did this - changing nothing else - the getDataFromInput() would return an empty array. It seems it cannot parse a multipart form to populate the objects data. print_r on the object shows the _objData array is empty. Just by changing back to urlencoded, then the print_r outputs all the forms data in the _objData array.

Is this a bug or a new security feature to disallow multipart forms? The same exact files work in a .764-Openstar module using the comparable v4bObjectUtil calls substituted for the PNObjectUtil ones.

Anyone else run into this or know why getDataFromInput will not pull data from a multipart form?

Thanks for any insight or clarification...!

OR Is there a way to include a FILE in a urlencoded form? I tried this and can't manipulate the file afterwards and it doesn't have all the subfields in the file array.

NCM
UHEweb

EDIT - This is .800 RC1 of course

edited by: uheweb, Aug 08, 2007 - 04:21 AM
uheweb

Rank: Helper

Registered: Sep 16, 2004

Last visit: Oct 21, 2009

Posts: 731
Posted: Aug 07, 2007 - 11:57 PM

Ok...differences between v4b and PN objectutils:

PN - function &getDataFromInput ($key=null, $default=null, $source='REQUEST')

v4B - function &getDataFromInput ($key=null, $default=null, $source=null)

If I change the PN $source parameter to null, it allows PNObjectUtil to grab the form variables even with a multipart form. Assuming I can pass a parameter other than 'REQUEST' in the getDataFromInput call to override...should I use null? Or does the source relate to the HTTP method - POST, GET, etc.?

Ideas?

Thanks,

NCM
UHEweb
uheweb

Rank: Helper

Registered: Sep 16, 2004

Last visit: Oct 21, 2009

Posts: 731
Posted: Aug 08, 2007 - 12:11 AM

Alright, well, it allows all form variables but the FILE type through. I can't get it to pass through the FILE data.

It will process the whole thing, save it to the database, just ignores all my upload code as it doesn't even see a file in the input. I've tried using $_FILES (in a getDataFromInputPostProcess routine) and reading it like a normal object variable - no luck.

Anything in FormUtil or similar I should be looking at?

Anyone else have an upload in a PNObject class that's working in a module?

Thanks!

NCM
UHEweb
cyber_wolf

Rank: Developer

Registered: Jun 03, 2002

Last visit: Dec 21, 2009

Posts: 284
Posted: Aug 08, 2007 - 01:19 AM

uheweb,

I'm at work right now and don't have my code in front of me, but I'm working on a module with upload function and use something like this and it has been working for me....

Code
$image = FormUtil::getPassedValue('image', isset($args['image']) ? $args['image'] : null, 'FILE');

Give that a try.

Thanks,
cyber_wolf

--
cyber_wolf
www.bkbsolutions.com - My Zikula module development site.
uheweb

Rank: Helper

Registered: Sep 16, 2004

Last visit: Oct 21, 2009

Posts: 731
Posted: Aug 08, 2007 - 06:53 AM

Cyber_wolf,

Have been trying that, too. Thanks for the hint.

Come to find out - I decided to clean up my code somewhat, and magically its working now. In the getDataFromInputPostProcess routine for the pic object, I use:

Code
$uploadFile = (isset($_FILES['imgfile']['name']) ? $_FILES['imgfile']['name'] : null);

Then, perform my security checks on the file (mimetype, filext, size, etc.), generate a random name, place it in the filesystem (as 644), and then pass the generated filename back to the object data.

Strange what happens when you clean house a little bit

Thanks,

NCM
UHEweb
Guite

Rank: Team Member

Registered: Jan 19, 2003

Last visit: Apr 06, 2010

Posts: 442
Posted: Aug 08, 2007 - 07:15 AM

It is recommended to use FormUtil::getPassedValue() as suggested by cyber_wolf since it cleans the input.

--
Guite | ModuleStudio
uheweb

Rank: Helper

Registered: Sep 16, 2004

Last visit: Oct 21, 2009

Posts: 731
Posted: Aug 08, 2007 - 07:36 AM

True, but my security routine for the file data array is fairly rigorous - checking several of the imgfile properties, name, ext, mimetype, GD check (to make sure its an image and GD can manipulate it).

So, probably should but not too worried about it.

Will getPassedValue clean a value that is a file data array? As in check the strings of all the properties? How does it know that it is a file array, and not just a single string?

Thanks for the reminder.

NCM
UHEweb

EDIT - ahhh...is that what the 'FILE' parameter is for? So that it knows to clean the entire file data array?

edited by: uheweb, Aug 08, 2007 - 12:37 PM
rgasch

Rank: Team Member

Registered: Jan 05, 2003

Last visit: May 28, 2010

Posts: 775
Posted: Aug 08, 2007 - 08:56 AM

Quote
Will getPassedValue clean a value that is a file data array?

Yes. FormUtil::getPassedValue is recursive-array safe.

Greetings
R
uheweb

Rank: Helper

Registered: Sep 16, 2004

Last visit: Oct 21, 2009

Posts: 731
Posted: Aug 08, 2007 - 05:33 PM

Thanks Rgasch for the clarification.

NCM
UHEweb