Documenation

Forms

Forms are used to handle user input.

Example
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
<form id="form" method="post" action="./">
    <fieldset>
        <dl>
            <dt><label for="foo">Foo</label></dt>
            <dd>
                <input type="text" class="text" name="foo" id="foo" value="<?php echo $model->POST_html_safe['foo'?>"/>
            </dd>
        </dl>
    </fieldset>
    <fieldset>
        <dl>
            <dt><br/></dt>
            <dd>
                <input type="hidden" name="auth-token" value="<?php echo $model->authToken ?>"/>

                <input type="submit" class="button" name="submit" id="submit" value="Submit"/>
            </dd>
        </dl>
    </fieldset>
</form>

The best way to handle forms is using the Form plugin. This plugin takes care of input validation.

Auth token

As a security measure to prevent cross-site request forgery it is required to include an authentication token in forms. If the auth-token field is missing the form will not be processed and an error message is displayed.

Include the following line when creating forms that are send as POST:

1
<input type="hidden" name="auth-token" value="<?php echo $model->authToken ?>"/>

Confirmation

Information send as GET does not require an authentication token to verify its integrity and can therefore not be trusted. When using a link to perform administrative tasks (e.g. ?id=1&action=delete to delete a page) confirmation should be requested from the user using $model->confirm(). The request is then resubmitted using POST.

Example
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
<?php
$model->form->validate(array(
    ));

if ( isset($model->GET_raw['action']) && $model->GET_raw['action'] == 'delete' )
{
    if ( !$model->POST_valid['confirm'] )
    {
        $model->confirm('Are you sure you wish to delete this page?');
    }
    else
    {
        // Delete the page
    }
}
?>

The $model->confirm() function terminates the code and displays a form to the user with an option to either proceed or cancel. If the user chooses to proceed the page is reloaded and $model->POST_valid['confirm'] is set to TRUE (this requires the Form plugin).

Handling user input

For security reasons $_GET and $_POST can not be used. It is better to use the filtered alternatives below.

Safe for HTML
  • $model->GET_html_safe
  • $model->POST_html_safe
Safe for database insertion (requires a database plug-in)
  • $model->GET_db_safe
  • $model->POST_db_safe
Unfiltered (and unsafe!)
  • $model->GET_raw
  • $model->POST_raw

See also

Guides

Concepts

Plugins