The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Form builder UserId/Username
#1
Hi,

Just a quick one, would anyone know the best way if using the form builder to include the UserId/UserName (automatically) as a hidden field of the account that submitted the form, ideally not something that someone could use the dev tools in Chrome etc to spoof/change.

What I am basically trying to do is to use the stripe subscription system to allow paying users (have not implemented this yet) to add entries to the database.
From their account on a separate page they will then be able to find their own entries and edit/update/delete them should they have a need.

The latter I imagine would be easy based on pulling a list database queries based on their UserName/UserId etc.

If I have to manually create a form then no problem, just trying to avoid re-inventing the wheel in case this is already built in and I am missing something.


Have had a look in the forms.php and imagine I can add the required function in there BUT as embedded C programmer rather than PHP, I want to make sure I am not opening some vunerability up with that so treading very carefully.


Also there appears to be a bug on the Form Creator, setting the Radio buttons as required is ignored and has no required==1 value unlike the checkbox function.

Thanks as always from the UK  Smile

Chris
  Reply
#2
(02-01-2019, 03:29 AM)TheCj Wrote: Hi,

Just a quick one, would anyone know the best way if using the form builder to include the UserId/UserName (automatically) as a hidden field of the account that submitted the form, ideally not something that someone could use the dev tools in Chrome etc to spoof/change.

What I am basically trying to do is to use the stripe subscription system to allow paying users (have not implemented this yet) to add entries to the database.
From their account on a separate page they will then be able to find their own entries and edit/update/delete them should they have a need.

The latter I imagine would be easy based on pulling a list database queries based on their UserName/UserId etc.

If I have to manually create a form then no problem, just trying to avoid re-inventing the wheel in case this is already built in and I am missing something.


Have had a look in the forms.php and imagine I can add the required function in there BUT as embedded C programmer rather than PHP, I want to make sure I am not opening some vunerability up with that so treading very carefully.


Also there appears to be a bug on the Form Creator, setting the Radio buttons as required is ignored and has no required==1 value unlike the checkbox function.

Thanks as always from the UK  Smile

Chris
Hi from Florida! It's kind of funny because I haven't been asked that question in a while, but I just answered it yesterday.  

So regarding the other things like sticking more info in secretly, there are ways to do that.
So basically, you can create the other form fields that you want to create normally and then you go to the views thing and make a "view" of just the form fields that you actually want to show. The instead of displaying the form, you display the view. 

So one of the things with doing hidden form fields is that the user can change them in the chrome inspector. They can't do that with the "logged in" info that you have when someone logs in. So I'll give you a quick example. Let's say that you want to store the username.

Add a field with the column name username
Don't show that column in the view
Display the view. 
Then when you do the form processing do...

if(!empty($_POST)){
$response = preProcessForm();
if($response['form_valid'] == true){
$response['fields']['username']=$user->data()->username;
$response = postProcessForm();
}
}

This is pulling in the username from the database instead of anything that they can alter. In fact, you can refer to any item in the users table with $user->data()->columNameFromTheDatabase

Anyway, please don't hesitate to ask for help if anything doesn't make sense.
  Reply
#3
I will definitely check on the radio button required thing. There is also a bug that it staged to be patched.
Can you replace the file users/views/_form_edit_field.php with the contents of this file and let me know if that fixes it?

https://pastebin.com/gzxyn3ZV
  Reply
#4
Thanks again,

With the regular form submit method, no problem, when I try to use the preProcessxxxx and postProxxxxxx then I get an error.
Am about to spin another VPS server up to check this with even though I am not sure it would be due to being on XAMPP.
Error is:
Fatal error: Uncaught ArgumentCountError: Too few arguments to function postProcessForm(), 0 passed in C:\xampp\htdocs\cj_page.php on line 16 and at least 1 expected in C:\xampp\htdocs\users\helpers\forms.php:441

The Form is created with the hidden variables you mentioned named username and userid (did also try them as text rather than hidden)
A view is created with just the sample textbox.

p.s did add that code from PasteBin you provided, was that for the radio buttons "required" option being ignored?

Thanks

Chris


Code:
<?php

if(file_exists("install/index.php")){
    //perform redirect if installer files exist
    //this if{} block may be deleted once installed
    header("Location: install/index.php");
}

require_once 'users/init.php';

if(!empty($_POST)){
$response = preProcessForm();
if($response['form_valid'] == true){
$response['fields']['username']=$user->data()->username;
$response['fields']['userid']=$user->data()->id;
$response = postProcessForm();
}
}

require_once $abs_us_root.$us_url_root.'users/includes/template/prep.php';
if(isset($user) && $user->isLoggedIn()){
}


?>
<div id="page-wrapper">
    <div class="container">
        <div class="jumbotron">
            <h1 align="center">Welcome to <?php echo $settings->site_name;?></h1>
            <p align="center" class="text-muted">An Open Source PHP User Management Framework. </p>
            <p align="center">
                <?php
                displayView(9);
                ?>
            </p>
            <br>
            <p align="center">You have successfully installed UserSpice!<br>To view our getting started documentation, please visit</p>
            <h4 align="center"><a href="https://userspice.com/getting-started/">https://userspice.com/getting-started/</a></h4>
        </div>
    </div>
</div>

<!-- Place any per-page javascript here -->


<?php require_once $abs_us_root . $us_url_root . 'usersc/templates/' . $settings->template . '/footer.php'; //custom template footer ?>


Unsure if I have missed something, have tried number times and the same result, sorry in advance if this is something I have goofed.
Creativity is like a fart, push too hard and it usually ends in tears, that't the polite version anyway patented to me Wink
  Reply
#5
Have launched a VPS Server.
Exactly the same issue which means its either my file that I have created or there is a bug, I have looked at the forms.php line441 and can see the function for which I cant spot anything obvious missing.
I echoed the array content on the main page and they are outputting, just appears to not be getting put to the function.

Any thoughts?

Thx
Creativity is like a fart, push too hard and it usually ends in tears, that't the polite version anyway patented to me Wink
  Reply
#6
I don't have a form hand. I'm looking at that forms.php now.
  Reply
#7
I'm guessing off the top of my head it should be
postProcessForm($response);

Can you try that?
  Reply
#8
Perfect, thank you again!

The ONLY reason I didn't try that was the example code and its also in the documentation section of this site (the opposite of)
https://userspice.com/advanced-form-processing/

From a C perspective that would be it exactly too, I should have tried it anyway (facepalm)

As previous, awesome script, runs very well on a 4th gen i7 XAMPP install, truly lightening quick on a Xeon SSD server!

Owe you MANY thanks so far Smile
Creativity is like a fart, push too hard and it usually ends in tears, that't the polite version anyway patented to me Wink
  Reply
#9
I actually updated the documentation when I sent you that. I realized it somehow that got rolled back. I had updated that and then I restored an older version of the site and accidentally botched that documentation.

I may seriously come to you with some C questions :-)
I write a lot of Arduino and microcontroller stuff and see is the bane of my existence. :-) I really need a tutor
  Reply
#10
Not a problem at all Smile

Not free of course sadly but get a copy of MikroElectronica (cant praise their compiler enough) , have tried a few and that is the easiest due to having a ton of built in libraries (as in high end libraries at that), all the debug tools on the planet which makes life much easier inspecting registers whilst code stepping etc etc
F1 for the example functions/inbuilt libraries which cuts time down even more, further extended on the free Libstock site (theirs) I use PIC32 compiler version personally for high performance projects, high framerate OLED screen drivers etc.

Off topic I know, speaking to my partner today about having found UserSpice and this will allow me to complete 2 projects which were on the back burner due to being way off PHP for writing a user management system etc (much more difficult when you can't inspect registers in real time) and am far from an expert by far.
Anyway, and I am totally serious about this, one of the projects may be more of a hobby kind of thing, the other COULD do pretty well indeed and if it does, I will be donating something back in return, wonder how many people have said that before as wishful thinking.

Have all the building blocks now, apart from having to figure a secure image upload feature to build in, allowing users to submit that after OR at the same time as their form data.
Could also be for the V5 suggestions Smile

Seriously impressive script you have here!

Thanks again.
Creativity is like a fart, push too hard and it usually ends in tears, that't the polite version anyway patented to me Wink
  Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)