Welcome Guest, Not a member yet? Register   Sign In
Validation stripping HTML only on fail?
#1

[eluser]absurdparadox[/eluser]
I've got multiple FCK Editors in an add/update form, that is having validation run on it when it is submitted.

Due to my form methodology, my form always uses the validation value as its display value.

The problem I'm having is that the validation seems to be rewriting the HTML from the fckeditor, replacing all special chars with their "ampersand-equivalent" ("<" becomes "&amp;lt;", etc). So, when it takes the user back to the form to fix their errors, its filling the FCKEditor fields in with the replaced-text... <p> becomes &amp;lt;p&amp;gt;.

Now, it doesn't actually do this if the validation passes, which I thought was interesting. If the user never had any validation errors, the HTML submits fine, lol.

I can code my way around this, but is it possible get it to not do this?
#2

[eluser]TheFuzzy0ne[/eluser]
You're using set_value() which uses form_prep() and encodes the characters.

If you don't want this behaviour, you have the following two options:

1) Call on $this->form_validation->set_value(), which will not use the form_prep() function.
2) Use the following code as a replacement for the set_value() function. By specifying the third parameter as FALSE, form_prep() will not be used:

./system/application/helpers/MY_form_helper.php
Code:
&lt;?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

function set_value($field = '', $default = '', $form_prep=TRUE)
{
    if (FALSE === ($OBJ =& _get_validation_object()))
    {
        if ( ! isset($_POST[$field]))
        {
            return $default;
        }

        return ($form_prep) ? form_prep($_POST[$field]) : $_POST[$field];
    }
    
    return ($form_prep) ? form_prep($OBJ->set_value($field, $default)) : $OBJ->set_value($field, $default);
}

// End of file: MY_form_helper.php
// Location: ./system/application/helpers/MY_form_helper.php
The above code is untested.

Hope this helps.
#3

[eluser]TheFuzzy0ne[/eluser]
Sorry, I misunderstood your post. set_value() uses form prep, but it doesn't touch the post data. If you want to store the data in your database, you'll need to add prep_for_form to the end of your validation rules. That will modify the actual post data.
#4

[eluser]absurdparadox[/eluser]
Hmm, you've lost me a little.

I'm not using anything called set_value(), unless its part of the functionality when the validation class sets the "$this->validation->whatever" variables based on the form inputs.

That above is what I'm using in all of my form... for example, a text area will look like:
Code:
&lt;textarea name="mytextarea"&gt;&lt;?php echo $this->validation->mytextarea?&gt;&lt;/textarea&gt;

I'm loading up $this->validation->[var]'s on the first loading of the form (from a database query), but then using the same variables as a return from validation.

Now, this my be some poor methodology, but its what I came up with early in the project, when I first started to dive into CodeIgniter, which I decided to do because I didn't know PHP at the time (though I am very familiar with web app dev in other languages).

So, the problem lies in the fact that if the validation functions run, and its successful, all is fine, and it doesn't rewrite all the html special-chars, and inserts them into the database. However, if validation fails, it does change all the html special chars into their encoded equivalents.

As I said, I'll just code around it, but I think maybe either there's something I'm missing here, lol
#5

[eluser]TheFuzzy0ne[/eluser]
My apologies. I assumed you were using the form validation class, not the normal validation class, since the standard validation class is deprecated since CodeIgniter 1.7.0. However, the validation class also uses prep_for_form() to set it's fields, which is why you're having this problem. It Basically encodes the data so it doesn't break form inputs.

You can either check out the form_validation class (which works like the validation class, but has extra features, and use my modified method, or I could probably whip up another function to override the one in the validation class that's encoding your form data.

The way the validation class you're using works, is it runs the validation, if anything fails, it assumes you're going to want to repopulate the form, so it escapes the HTML. If the validation passes, you don't need to populate the form, so it doesn't escape the data. Hope this makes sense.
#6

[eluser]absurdparadox[/eluser]
Awesome, exactly what I needed to know! Thanks a ton.




Theme © iAndrew 2016 - Forum software by © MyBB