Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Form Questions /

Best way to handle forms when Form fields don't 1:1 match DataObject fields?


Reply


2 Posts   417 Views

Avatar
vwd

Community Member, 160 Posts

9 January 2014 at 4:31pm

Hi,

Just wondering how I would go about implementing the following functionality with a SilverStripe form:

  • - A form generated & handled by SilverStripe
  • - But some fields contain sensitive information and are not to be written into the DB directly.
  • - This set of sensitive fields are to be combined into a XML file format, encrypted and then stored in a separate (DB) field (either text or DBField blob subclass)

So a couple of questions:

  • - What is the best way to handle the situation when the Form Fields don't 1:1 match the DataObject fields that I'm saving into?
  • - I understand that most of what I would want to to is the the form action/submit handler and that I won't be simply able to do a $form->saveInto($myDataObject).

So for example:

SensitiveData DataObject fields:

  • - Name: Varchar
  • - Email: Varchar
  • - EncryptedData: Text or Blob

SensitiveDataForm fields:

  • - Name: TextField
  • - Email: EmailField
  • - SensitiveField1: Text
  • - SensitiveField2: Text
  • - SensitiveField3: Int

Could I:

  • - In my submit handler, first call saveInto(….)
  • - Then go through process/encrypt SenstiveFields and manually save into the SensitveData->EncryptedData?

Eg.

   <?php
   class SensitiveDataForm_Controller extends Page_Controller {
      // ...
      function doSubmitJob($data, $form) {
         $sensData = new SensitiveData();   // Sensitive
         $form->saveInto($sensData);
         $sensData->EncryptedData = encryptSensitiveFormFields($form);   // some function that processes & encrypts the appropriate form fields
         $sensData->write();
         // … continue on with form submit handler processing
      }
   }

Is this the best way to go about what I'm trying to achieve? Does DataObject->write() properly escape all the data for SQL-injection etc?

Thanks.
VWD

Avatar
Willr

Forum Moderator, 5513 Posts

11 January 2014 at 5:40pm

Yes that would be the way to go about it. DataObject::write() won't escape the data in the database, however SilverStripe will escape the data if you use it in any filter() or exclude() methods.