Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
RuntimeException [ Error ]
  • $data= Model_Post::find()->where('slug', $slug); Error RuntimeException [ Error ]: Object class "Orm\Query" could not be converted to string or sanitized as ArrayAcces. Whitelist it in security.whitelisted_classes in app/config/config.php to allow it to be passed unchecked. can you please explain why I should whitelist ? and what security risk is involved in whit listing ?
    Thanks !
  • You get this error when you pass an ORM object to a view. Fuel by default does output encoding for security reasons, you store raw data, en encode when you send it to the browser. However, you can not encode an ORM object, so if you want to pass those to the view, add 'ORM\Model' to the security whitelist in config.php, and make sure you encode the individual fields manually in your views using the e() helper. Alternatively, convert the object to an array before you pass it to the view.
  • That's not the problem, Orm\Model instances are encoded automaticly and only need to be added to the whitelist or passed through ->set('var', $var, false) when you don't want them output encoded. This is however an Orm\Query object, thus an un-executed query which should be executed before being passed to the View.
  • Darn, I missed that. Where are they encoded automatically? And doesn't that "destroy" the ORM object ( as in "do not try to do a save() after you've passed the object to a view" )?
  • Orm objects extend Iterator and ArrayAccess, allowing them to be cleaned like normal arrays.
  • I understand that, but that will leave the ORM object in an is_changed state, and a potential disaster when later on in your code you use the objects properties, or worse, use $object->save(), which will save the encoded properties. As ORM objects use a getter, would it be a possibility to tell the object to return encoded properties when you request one?
    // enable encoding
    $object->encode(true);
    
    echo $object->property;
    
    // disable encoding
    echo $object->encode(false);
    
  • Once passed to the View it shouldn't be saved, it's very-very bad practice to do so. The problem here is though that it'd be hard to do this without ending up with a huge if/else structure inside htmlentities for each different type of object we might want to have cleaned. Solving this the "easy" way is just wrong because you'd hardcode Orm\Models into the core. If you can think of a way to do this without hardcoding "instanceof Orm\Model" I'm all for it, but helping people out executing bad-practice shouldn't be a reason to add bad-pracitce code to the core.
  • Ok, you've got a valid point. To be able to easily pass an ORM model to a view, the alternative is an array ( using to_array() ), but that isn't what a lot of people want. Would it be an option to add a to_object(), that would do the same as to_array(), but returns an stdClass object (that can be encoded without problems, and will allow you to use $object->property in your view). Or alternatively cast the result of to_array() to object before passing it to $view->set. Maybe we should document this as the preferred solution.
  • How about an export method instead of the to_array() method that exports an array on no input or "array" but exports an object of any given type with input (true = alias for stdClass). Should also allow to "add to" an object instead of creating a new one. Usage examples:
    $model = Model_Example::find('first');
    $array = $model->export();
    $std_class = $model->export(true);
    $std_class = $model->export("stdClass");
    $example_class = $model->export("Example_Class");
    $obj = new stdClass();
    $object = $model->export($obj);
    
  • That sounds very flexible. I can absolutely live with that!

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion