Form.php - This PHP class represents a form that can be sav…

/framework/core/form/Form.php

http://zoop.googlecode.com/ · PHP · 99 lines · 77 code · 16 blank · 6 comment · 8 complexity · 7969c786f4abcff170152a36fec751fc MD5 · raw file


<?php
class Form
{
	private $id;
	private $bindings;
	private $sessionId;
	
	function __construct()
	{
		$this->bindings = array();
		$this->sessionId = session_id();
	}
	
	public function addBinding($class, $id, $field)
	{
		$newBinding = new FormBinding($class, $id, $field);
		$this->bindings[] = $newBinding;
		return $newBinding->getName();
	}
	
	public function saveBindings()
	{
		if(empty($this->bindings))
			return;
		$parts = array();
		foreach($this->bindings as $thisBinding)
			$parts[] = $thisBinding->getString();
		$listString = implode(',', $parts);
		
		$this->id = SqlInsertArray('session_form', array('session_id' => $this->sessionId, 'fields' => $listString));
	}
	
	static public function appendBindings($newBindings)
	{
		$formId = getPostInt('_zoop_form_id');
		$sessionId = session_id();
		//	IMPORTANT SECURITY NOTE:
		//		even though session.id is going to be a unique identifier we still need to check to make sure that it 
		//		has the correct session_id to prevent spoofing
		$fieldString = SqlFetchCell("select fields from session_form where session_id = :sessionId and id = :formId",
							array('sessionId' => $sessionId, 'formId' => $formId));
		
		if(!$fieldString)
			trigger_error("session_form row $formId not found.  Possible attempt to spoof session data.");
		
		$parts = array();
		foreach($newBindings as $thisBinding)
		{
			if(is_array($thisBinding))
				$bindingObject = new FormBinding($thisBinding['class'], $thisBinding['id'], $thisBinding['field']);
			else
				$bindingObject = $thisBinding;
			$parts[] = $bindingObject->getString();
		}
			
		$appendString = implode(',', $parts);
		
		SqlUpdateRow("update session_form set fields = :newFieldString where session_id = :sessionId and id = :formId",
							array('sessionId' => $sessionId, 'formId' => $formId, 'newFieldString' => $fieldString . ',' . $appendString));		
	}
	
	public function getTagInfo()
	{
		return array('_zoop_form_id', $this->id);
	}
	
	static public function save()
	{
		if(!isset($_POST['_zoop_form_id']) || !$_POST['_zoop_form_id'])
			return;
		
		$formId = $_POST['_zoop_form_id'];
		$sessionId = session_id();
		//	IMPORTANT SECURITY NOTE:
		//		even though session.id is going to be a unique identifier we still need to check to make sure that it 
		//		has the correct session_id to prevent spoofing
		$fieldString = SqlFetchCell("select fields from session_form where session_id = :sessionId and id = :formId",
							array('sessionId' => $sessionId, 'formId' => $formId));
		
		if(!$fieldString)
			trigger_error("session_form row $formId not found.  Possible attempt to spoof session data.");
		
		$objects = array();
		foreach(explode(',', $fieldString) as $thisFieldString)
		{
			list($class, $id, $field) = explode(':', $thisFieldString);
			if(!isset($_POST['_zoop_form_element'][$class][$id][$field]))
				continue;
			$objectId = "$class:$id";
			if(!isset($objects[$objectId]))
				$objects[$objectId] = new $class($id);
			
			$objects[$objectId]->$field = $_POST['_zoop_form_element'][$class][$id][$field];
		}
		
		foreach($objects as $thisObject)
			$thisObject->save();
	}
}

Summary ✨

This PHP class represents a form that can be saved to a database and retrieved later. It allows for dynamic binding of fields to classes, which are then populated with user input when the form is loaded. The class provides methods for adding bindings, saving the form, and retrieving tag information. It also includes security measures to prevent spoofing session data.

Alerts (4)

'$_POST[' Unbounded request input detected; limit size (e.g., check Content-Length or use max input vars) to prevent memory exhaustion
69 72 87 93