Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Form Questions

Best way to handle forms when Form fields don't 1:1 match DataObject fields?


Reply

2 Posts   335 Views

Avatar
vwd

9 January 2014 at 4:31pm Community Member, 159 Posts

Hi,

Just wondering how I would go about implementing the following functionality with a SilverStripe form:

  • - A form generated & handled by SilverStripe
  • - But some fields contain sensitive information and are not to be written into the DB directly.
  • - This set of sensitive fields are to be combined into a XML file format, encrypted and then stored in a separate (DB) field (either text or DBField blob subclass)

So a couple of questions:

  • - What is the best way to handle the situation when the Form Fields don't 1:1 match the DataObject fields that I'm saving into?
  • - I understand that most of what I would want to to is the the form action/submit handler and that I won't be simply able to do a $form->saveInto($myDataObject).

So for example:

SensitiveData DataObject fields:

  • - Name: Varchar
  • - Email: Varchar
  • - EncryptedData: Text or Blob

SensitiveDataForm fields:

  • - Name: TextField
  • - Email: EmailField
  • - SensitiveField1: Text
  • - SensitiveField2: Text
  • - SensitiveField3: Int

Could I:

  • - In my submit handler, first call saveInto(….)
  • - Then go through process/encrypt SenstiveFields and manually save into the SensitveData->EncryptedData?

Eg.

   <?php
   class SensitiveDataForm_Controller extends Page_Controller {
      // ...
      function doSubmitJob($data, $form) {
         $sensData = new SensitiveData();   // Sensitive
         $form->saveInto($sensData);
         $sensData->EncryptedData = encryptSensitiveFormFields($form);   // some function that processes & encrypts the appropriate form fields
         $sensData->write();
         // … continue on with form submit handler processing
      }
   }

Is this the best way to go about what I'm trying to achieve? Does DataObject->write() properly escape all the data for SQL-injection etc?

Thanks.
VWD

Avatar
Willr

11 January 2014 at 5:40pm Forum Moderator, 5511 Posts

Yes that would be the way to go about it. DataObject::write() won't escape the data in the database, however SilverStripe will escape the data if you use it in any filter() or exclude() methods.