Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers [Deprecated] DMZ 1.5.3 (DataMapper OverZealous Edition)
[Deprecated] DMZ 1.5.3 (DataMapper OverZealous Edition)
  • El Forum
    Guest
  •  
#561
09-02-2009, 06:08 AM

[eluser]mcnux[/eluser]
@macigniter
I've used the same method you've used and it's worked no problem, with MySQL that is. Try using $e->check_last_query(); to see what query is being generated?
  • El Forum
    Guest
  •  
#562
09-02-2009, 08:37 AM

[eluser]tdktank59[/eluser]
Never mind...

Was an issue where short tags where not turned on in the php.ini file

On that note why not use <?php ?> instead of <? ?>
Which would solve this problem...

So anyways updated the view files to use <?php ?> and <?php echo (*); ?>
and fixed the issue.

I need to have scripts work no matter what happens (if short tags are removed at some point in the future)
  • El Forum
    Guest
  •  
#563
09-02-2009, 09:18 AM

[eluser]PoetaWD[/eluser]
@NachoF

Code:
if($this->input->post('stCPF'))

Thanks for the tip... I did that because the isset() did not work...(now I understand why) thank you!

The $obj is being created at the begining of the code...

@OVZ

I really understand what you mean... and, I am aware of that problem... that is why I am looking for a good auth method... I am usig dx_auth with some modifications of my own. It does the job well... ( I think ). I will post my results so you can give me your feedback.

This code is to insert data from people into the app. Like clients, customers or just contacts.

Whe the person is a client the user will want to add his full info, like Documents, addrees.

When the person is just a contact the user will only want to add its Name, email and phone.

That is why I am using the

Code:
if($this->input->post('stRG'))

because it is OK if the user dont submit the value for RG... and if he doesnt, the system wont create a Document object for the RG.

My question is that if the user doesnt submit a RG value a $xxx->Document() object wont be created. If I save it $obj->save($xxx) the system wont return me a error ? Because I am trying to save an object that has not being created !

That why I was saving each object separately.
  • El Forum
    Guest
  •  
#564
09-02-2009, 10:21 AM

[eluser]PoetaWD[/eluser]
Hey guys... I am posting again to see if you have a good method to help me securing my app.

I figured a way of doing this... but, I want to check with you if this is a good method and if this is SAFE !

The app I am building is to be used by various companys.. each company might have unlimited users, but the users can only handle with that company data.

I am using dx_auth with some modifications of my own.

In the user table I will store the ID of the company that the user belongs.

And I will store that company ID in the user session:

Code:
function _set_session($data)
    {
        // Get role data
        $role_data = $this->_get_role_data($data->role_id);
    
        // Set session data array
        $user = array(                        
...
            'DX_company_id'                        => $data->company_id,    
            ...
        
            'DX_logged_in'                    => TRUE
        );

        $this->ci->session->set_userdata($user);
    }

I have created a function that will return me the ID of the company that the user belongs:

Code:
$this->dx_auth->get_company_id()

I have:

To list all the objects:

Code:
if ($this->dx_auth->is_logged_in())
        {
            $obj = new Person();
            $obj->where_related('company', 'id', $this->dx_auth->get_company_id());
            $obj->get();
            
            $data['objects'] = $obj->all;            
            
            $this->load->view('simple/system/person/index', $data);  
            
        }

This will list all the person() that is associated with that company.

To save a object:

Code:
if ($this->dx_auth->is_logged_in())
        {
            
            $ccc = new Company;
            $ccc->get_by_id($this->dx_auth->get_company_id());

            $obj = new Person();            
            $obj->stNome = $this->input->post('stName');
                        $obj->save($ccc)
                }

Is it safe ?

Trust in the session to store the company ID ?
  • El Forum
    Guest
  •  
#565
09-02-2009, 10:22 AM

[eluser]PoetaWD[/eluser]
It posted 3 times my post !! sorry !
  • El Forum
    Guest
  •  
#566
09-02-2009, 10:23 AM

[eluser]PoetaWD[/eluser]
BUG!!!
  • El Forum
    Guest
  •  
#567
09-02-2009, 10:29 AM

[eluser]tdktank59[/eluser]
@Poetawd

To use the session should be safe enough... As long as the only way to set the session is with your function.

So yes in practice that should be more than secure enough. The other option is to look it up all the time. Or set a cached value somewhere...

In other words, I would be doing what you are.
  • El Forum
    Guest
  •  
#568
09-02-2009, 11:04 AM

[eluser]PoetaWD[/eluser]
[quote author="tdktank59" date="1251926976"]@Poetawd

To use the session should be safe enough... As long as the only way to set the session is with your function.

So yes in practice that should be more than secure enough. The other option is to look it up all the time. Or set a cached value somewhere...

In other words, I would be doing what you are.[/quote]

Thanks man !

I have no experience with this AT ALL !

If you have another way of doing this, easier, please let me know...

See ya...
  • El Forum
    Guest
  •  
#569
09-02-2009, 12:44 PM

[eluser]OverZealous[/eluser]
@macigniter

Just like what mcnux said, that should work fine. That's a feature of Active Record, it automatically converts ($field, NULL) to $field IS NULL. It does work.

@Poetawd
• All related objects must already be saved to the database to save a relationship. Only the primary object can still be new.

• I'm not sure you understand the risk, but maybe I'm misunderstanding what you wrote. The risk with code like you've written is that someone who is purposefully being malicious could send a different document ID back to the server. The server would then blindly save this document to the profile. The use might end up having access to someone else's document after this. The security issue isn't that the input is invalid, but does the user have access to that document id?

• The topic of a proper authorization setup is probably too big for this (already long) thread. I would recommend starting a new thread if you need more help with auth specifically.

@tdktank59

I always code in short tags (JSP heritage). I don't really understand why they would ever not be turned on. They also shouldn't ever be removed from the spec.

I understand that they can be turned off, and if I get some time, I'll change the example content and the htmlform views.
  • El Forum
    Guest
  •  
#570
09-02-2009, 01:11 PM

[eluser]PoetaWD[/eluser]
Now I understand what you mean....

I cannot trust the information sent by the hidden form field....

THANK YOU!

Since I´ve created the object profile, that has a field with those ids...

Here is how I´ve done:

Code:
if($this->input->post('stRG'))
            {
                $rg = new Documento();
                $rg->get_by_id($obj->rg_id);    
                $rg->stNumero = $this->input->post('stRG');                
                $rg->save();                
                $obj->save($rg, 'rg');                
            }




Theme © iAndrew 2016 - Forum software by © MyBB