Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Best way to handle forms when Form fields don't 1:1 match DataObject fields?


Go to End
Reply


2 Posts   586 Views

Avatar
vwd

Community Member, 161 Posts

9 January 2014 at 4:31pm

Hi,

Just wondering how I would go about implementing the following functionality with a SilverStripe form:

  • - A form generated & handled by SilverStripe
  • - But some fields contain sensitive information and are not to be written into the DB directly.
  • - This set of sensitive fields are to be combined into a XML file format, encrypted and then stored in a separate (DB) field (either text or DBField blob subclass)

So a couple of questions:

  • - What is the best way to handle the situation when the Form Fields don't 1:1 match the DataObject fields that I'm saving into?
  • - I understand that most of what I would want to to is the the form action/submit handler and that I won't be simply able to do a $form->saveInto($myDataObject).

So for example:

SensitiveData DataObject fields:

  • - Name: Varchar
  • - Email: Varchar
  • - EncryptedData: Text or Blob

SensitiveDataForm fields:

  • - Name: TextField
  • - Email: EmailField
  • - SensitiveField1: Text
  • - SensitiveField2: Text
  • - SensitiveField3: Int

Could I:

  • - In my submit handler, first call saveInto(….)
  • - Then go through process/encrypt SenstiveFields and manually save into the SensitveData->EncryptedData?

Eg.

	<?php
	class SensitiveDataForm_Controller extends Page_Controller {
		// ...
		function doSubmitJob($data, $form) {
			$sensData = new SensitiveData();	// Sensitive
			$form->saveInto($sensData);
			$sensData->EncryptedData = encryptSensitiveFormFields($form);	// some function that processes & encrypts the appropriate form fields
			$sensData->write();
			// … continue on with form submit handler processing
		}
	}

Is this the best way to go about what I'm trying to achieve? Does DataObject->write() properly escape all the data for SQL-injection etc?

Thanks.
VWD

Avatar
Willr

Forum Moderator, 5521 Posts

11 January 2014 at 5:40pm

Yes that would be the way to go about it. DataObject::write() won't escape the data in the database, however SilverStripe will escape the data if you use it in any filter() or exclude() methods.