Shifted to REST architecture, so don't need to store those anymore.
Is there a way how to disable the model storing at all?
We can clear store before get data from REST
model.store = {};
Related
How do I store the data in the Database for a website using pyrocms.
I currently use the contact plugin and need to store the data in mysql.
If anyone has done this, I would appreciate the help!
The contact plugin does not capture data, but you can indeed save the input by slightly extending it.
You will need to have a table made to put it in. Otherwise, you could make a Stream to stuff the data into as well.
The easiest way is likely to use the posted callback on the ContactFormBuilder.
Something like this:
use \Anomaly\ContactPlugin\Form\ContactFormBuilder;
app(ContactFormBuilder::class)->listen('posted', function(ContactFormBuilder $builder) {
YourStreamModel::create($builder->getFormInput());
}
I've read the docs and watched the Laracast. I'm still left wondering why you would use them?
I get that you can map different data to different names if your field names were to change but you want to keep a consistent public API. But surly you can just do the same on the model with the toArray() method and change the mappings there?
If I were to do:
return User::find(1);
I get a response like:
{"id":1,"name":"Ova Parker"}
If I do:
return new UserResource(User::find(1));
I get a response like:
{"data":{"id":1,"name":"Ova Parker"}}
Is there a significance in wrapping it with a data tag? I am just guessing but is this a standard JSON format for API's? Why would you not just do return User::find(1); instead of using an API resource, if this is under API routes then it'll return it as JSON anyway automatically.
You kind of answer the question by yourself. The idea behind API Resources or Transformers (like the ones from Fractal) is to hide the db field names from the client. With return User::find(1) you expose your whole db structure which might not a good idea security-wise and also bad for the release process. If you need to change a db field name, you have to change the API too. With Resources you have a mapping between your application and the consumer of you API.
It seems more work in the beginning, but once you started it, you won't wanna miss it anymore.
There is no toArray() method in PHP, which gets magically called like __toString(). You have to write you own and call it by yourself. Resources are built-in by Laravel and will be resolved automatically.
Is it possible to combine MeteorJS collections and sessions? I can't find any information about it.
Template.search.helpers({
transToEnT: function(){
var try = TransToEnT.find();
Session.set('mySession', try);
var sessionDataToLog = Session.get('mySession');
return sessionDataToLog;
}
});
this is my attempt. Unfortunately, unsuccessful.
I think if you want to distinguish different user, it is better to use meteor original user and account (Meteor user and account) rather than manipulating session.
Meteor sessions and collections are different.
Collections are basically database, by default it's mongodb. AND sessions are the state of data-source for a particular client.
In meteor, if you want to apply reactivity of one component to other
component then we use sessions. Example: On change of one facet if you want to update other facet and reset data-source to the view, we can use Sessions and return session from the helper function of the template.
If you want to distinguish between users data. Use pub and sub for different users. Don't subscribe all the data for a user. Use Dynamic pub and sub.
Only user specific data should present for a particular user/client.
I am currently using the CodeIgniter framework, and looking to strengthen the XSS protection by using HTMLPurifier (http://htmlpurifier.org/).
Is my understanding correct that you want to 'clean' data on post, so that its purified before its inserted into the Database? Or do I run it before displaying in the view?
If so, do I want to run HTMLPurifier on every single post that takes place? Since the app contains a lot of forms, I'd hate to have to selectively choose what gets cleaned and what doesnt - assuming that I can intercept all posts, is this the way to go? Of course, I validate some fields anyway (like email addresses, numeric numbers, etc)
Use $this->input->post() to get $_POST data. Codeigniter filters it automatically if global xss filter is set to true.
See the docs: http://codeigniter.com/user_guide/libraries/input.html
Edit: to clarify
Yes you should filter before inserting into the DB and yes you should filter all user input.
A quick google search, http://www.google.com/search?q=codeigniter+htmlpurifier, led to this page: http://codeigniter.com/wiki/htmlpurifier which is a helper for htmlpurifier. Regarding catching all $_POST data: you have to do something with the data, right? In your models, when you're doing that something, just make purify() part of that process:
$postdata = purify($_POST);
In order to use some AJAX calls, we use often some input type="hidden". But these values can be easily changed. So, is it a builtin rails feature than permit to send date to AJAX, withouth being usable by user, or than can't be changed by user ?
In my current rails apps, i'm using filters for discard all malicious actions on my controllers. I am not building a public API, so i don't really need more powerful checks.
But for examples, i have an apotomo widget displaying some data, using some input hidden. But if you change it, you can access to another data set. In my case, it's not really an issue, cause all these users have the right to access these data sets anyway.
But is it some manner to give datas to ajax call, in a secure way ? Or the only security, is about rights management ?
All input that comes from the user is insecure as you do not have control over it! Users even do not need a webbrowser but can use some other program (like curl or wget) to send manipulated data.
As you state, using a whitelist (not a blacklist as you can never be sure of all bad, but of all good!) is a good way to start.
To make sure the hidden fields have not been changed you can use some kind of checksum that is calculated on server side using a fixed secret. This secret must never be exposed to your visitors!
hash = md5(field_1 + field_2 + field_3 + my_secret)
When these four hidden fields (field_1..3, hash) arrive in your form you can recalculate the hash and compare it with the params[:hash] in order to be sure the field_1 to field_3 have not been changed.