Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
$view->set() method is not escape related ORM object.
  • kuwakuwa
    Hello.
    I'm using Smarty template engine. It is not parameter escapes automatically by default.
    Then I wrote a wrapper class for it.

    I hope escape all strings.
    But ORM relation data is not escaped by safe() method.

    ---------------------
    Data
    ---------------------
    <tbl_users>
    id=1
    name=<h1>USER
    office_id=1

    <tbl_office>
    id=1
    office_name=<h1>OFFICE

    ---------------------
    ViewModel Instance
    ---------------------
    class View_Test extends ViewModel_Wrapper
    {
    ....
           $users = Model_Users::find( $id );

            // $users is ORM instance.
            // It contains related data.
            // ex) $user->office->office_address .

            $datas[ 'users' ] = $users;

            return self::forge( 'View_Test' )->set_data( $datas );

    }

    ---------------------
    ViewModel Wrapper
    ---------------------
    class ViewModel_Wrapper extends \Fuel\core\ViewModel
    {
        ...
        public function view()
        {
            // Escape Tangs.
            $this->_view->set($data);
        }
    }

    -----------------------------
    Template
    -----------------------------
    1) user_name: {$user->name}
    2) office_name : {$user->office->name}

    -----------------------------
    Result
    -----------------------------
    1) user_name: <h1>USER
    2) office_name: OFFICE

    ----------------------------------------------------------------

    Can I escape related ORM data?

  • kuwakuwa
    I found a reason.
    The ORM related data is not appeared without access by it's property.

    1) <ViewModel> Get "$users" ORM instance list.
    2) <ViewModel> Escape "$users" by "$view->set()".
    3) <View> "$users" is exploded to HTML.

    At 2) process, "$user->office" property is not accessed.
    The args for View don't contain "$user->$office", so "$view->set()" cannot escape "$user->office".

    I thought that's a little wrong system.
    I wonder why ORM objects don't contain related objects first time?

  • SyntaxlbSyntaxlb
    "I wonder why ORM objects don't contain related objects first time?"

    I think it's for don't decrease performance
  • HarroHarro
    Correct. If you need something, fetch it explicitly. No need to run potentially gigantic queries if it's not needed.

    As for ORM objects, and passing data to a view: set() always encodes anything, unless you use false as third parameter. set_safe() doesn't encode anything (it's an alias for set() with false).

    As encoding always changes the value (if there is something to encode), it will modify your ORM properties, so if you do that, don't use the object elsewhere, and certainly not save it. This is because objects are passed by reference in PHP, so once you change one, you change them all.

    As a workaround, you can pass:

    (object) $ormobject->to_array();

    which will convert the properties to an array first, and then to a stdClass.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion