Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Best way to handle forms when Form fields don't 1:1 match DataObject fields?


Go to End


2 Posts   1192 Views

Avatar
vwd

Community Member, 166 Posts

9 January 2014 at 4:31pm

Hi,

Just wondering how I would go about implementing the following functionality with a SilverStripe form:

  • - A form generated & handled by SilverStripe
  • - But some fields contain sensitive information and are not to be written into the DB directly.
  • - This set of sensitive fields are to be combined into a XML file format, encrypted and then stored in a separate (DB) field (either text or DBField blob subclass)

So a couple of questions:

  • - What is the best way to handle the situation when the Form Fields don't 1:1 match the DataObject fields that I'm saving into?
  • - I understand that most of what I would want to to is the the form action/submit handler and that I won't be simply able to do a $form->saveInto($myDataObject).

So for example:

SensitiveData DataObject fields:

  • - Name: Varchar
  • - Email: Varchar
  • - EncryptedData: Text or Blob

SensitiveDataForm fields:

  • - Name: TextField
  • - Email: EmailField
  • - SensitiveField1: Text
  • - SensitiveField2: Text
  • - SensitiveField3: Int

Could I:

  • - In my submit handler, first call saveInto(….)
  • - Then go through process/encrypt SenstiveFields and manually save into the SensitveData->EncryptedData?

Eg.

	<?php
	class SensitiveDataForm_Controller extends Page_Controller {
		// ...
		function doSubmitJob($data, $form) {
			$sensData = new SensitiveData();	// Sensitive
			$form->saveInto($sensData);
			$sensData->EncryptedData = encryptSensitiveFormFields($form);	// some function that processes & encrypts the appropriate form fields
			$sensData->write();
			// … continue on with form submit handler processing
		}
	}

Is this the best way to go about what I'm trying to achieve? Does DataObject->write() properly escape all the data for SQL-injection etc?

Thanks.
VWD

Avatar
Willr

Forum Moderator, 5523 Posts

11 January 2014 at 5:40pm

Yes that would be the way to go about it. DataObject::write() won't escape the data in the database, however SilverStripe will escape the data if you use it in any filter() or exclude() methods.