Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Best way to handle forms when Form fields don't 1:1 match DataObject fields?

Go to End

2 Posts   830 Views


Community Member, 166 Posts

9 January 2014 at 4:31pm


Just wondering how I would go about implementing the following functionality with a SilverStripe form:

  • - A form generated & handled by SilverStripe
  • - But some fields contain sensitive information and are not to be written into the DB directly.
  • - This set of sensitive fields are to be combined into a XML file format, encrypted and then stored in a separate (DB) field (either text or DBField blob subclass)

So a couple of questions:

  • - What is the best way to handle the situation when the Form Fields don't 1:1 match the DataObject fields that I'm saving into?
  • - I understand that most of what I would want to to is the the form action/submit handler and that I won't be simply able to do a $form->saveInto($myDataObject).

So for example:

SensitiveData DataObject fields:

  • - Name: Varchar
  • - Email: Varchar
  • - EncryptedData: Text or Blob

SensitiveDataForm fields:

  • - Name: TextField
  • - Email: EmailField
  • - SensitiveField1: Text
  • - SensitiveField2: Text
  • - SensitiveField3: Int

Could I:

  • - In my submit handler, first call saveInto(….)
  • - Then go through process/encrypt SenstiveFields and manually save into the SensitveData->EncryptedData?


	class SensitiveDataForm_Controller extends Page_Controller {
		// ...
		function doSubmitJob($data, $form) {
			$sensData = new SensitiveData();	// Sensitive
			$sensData->EncryptedData = encryptSensitiveFormFields($form);	// some function that processes & encrypts the appropriate form fields
			// … continue on with form submit handler processing

Is this the best way to go about what I'm trying to achieve? Does DataObject->write() properly escape all the data for SQL-injection etc?



Forum Moderator, 5523 Posts

11 January 2014 at 5:40pm

Yes that would be the way to go about it. DataObject::write() won't escape the data in the database, however SilverStripe will escape the data if you use it in any filter() or exclude() methods.