Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Fuel\Core\PhpErrorException [ Notice ]:
  • Hello there,

    I got following error when I update PHP from 5.3 to 7.0.15

    Fuel\Core\PhpErrorException [ Notice ]:
    Array to string conversion

    COREPATH/classes/form/instance.php @ line 210

    Is this a bug?

  • I solved myself.

    The reason why I am getting this error is there is needless source code that it was working in PHP 5.3.

    But, in PHP 7.0.15, I am not allowed to...

    Following source code is not working in PHP 7.0.15.

    <div class="form-group">
      <?= Form::label('limit', 'limit'); ?>
    <?= Form::input('limit',
    //Input::post('limit',isset($user['limit']) ? $user['limit']->attributes['limit'] : ''),
    array('class' => 'form-control', 'placeholder'=>'例) 100')); ?>

    As can be seen from above code, it is not necessary. 
    So, I delete that.
  • Where is this code from? Your own code? Why would you want to call Input::post() in a form, that is very bad coding practice, a View should not contain any logic.

    We develop on 7.0.18, and haven't seen any error of this kind, in any of our apps.
  • Form::input() requires a string as second argument, as per the documentation. you are passing an array here, because you've commented out the second argument.

    Now that I see what you do, it is even worse. By using Input::post() in your View, you bypass every security mechanism in Fuel. Your application is wide open for almost every injection attack. 

    NEVER use posted input unscreened, unvalidated and unencoded in a view !!!
  • Thank you for your suggestion.
    However, the code is generated by oil command.
    so, I reuse it.
    Instead of input::post(), I better use like val->valided().
    Well I will replace it tomorrow.
  • Brr... If Oil generates that, it urgently needs to go on the todo list.

  • I guess it was like that from very long time ago.

    In my opinion, you should run the oil command and see what is generated for controller and model too.

    Then, in order to solve the security issue, should I pass $val->valided() from the controller to view?

    Or, is there better way to solve the issue?

    Thank you.
  • HarroHarro
    Accepted Answer
    That would be the best solution. 

    But even if you don't validate, passing Input::post() from the controller into the View would cause all input data to be encoded, and rendered harmless,
  • Oh....well 
    do you mean I do not have to change anything?
    As long as I set the third argument to true in the View::forge(), I do not have to care of it?

  • HarroHarro
    Accepted Answer
    Correct. Anything you pass to the View object is encoded by default, including ORM objects. So any injected javascript (for example) is rendered harmless.

    The third argument is true by default, it is configured in your config.php ("security.auto_filter_output").

    A lot of frameworks filter on input. We believe that doing that will potentially make it slow (depending on the filter level) and will potentially alter the data (by stripping for example). So we don't do that, instead, we encode on output. This has the added benefit of rendering any data harmless, no matter where it comes from.

    As a developer you can always decide to filter and strip as part of your input validation.
  • Hello there,

    I see. 
    Thank for your explanation.
    I actually set the filter in the config.php.

    Also, I did not know that the filter logic in fuelPHP because I often did not look at the framework core.
    So, it is good to know about it.

    Thank you :)

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion