How to use form.render() and disable the form handle

From controller:

 public function viewAction($id,$report_id){
    $report = SaeReport::findFirst('id = '.$report_id);
    $form = new SAEReportForm($report,array('id'=>$id));
    $this->view->form = $form;
  }

in the view.volt, when I call form.render() is there a way at runtime to specify that I want the form element to be disabled, IE not changeable? I've tried

{{form.render('name',array('disabled'=>true))}}

but that doesn't work...



84.0k

form.render only renders elements. You have to write the form using a form helper: https://github.com/phalcon/invo/blob/master/app/views/products/index.volt#L8

BTW: This makes your application vulnerable to SQL injections:

$report = SaeReport::findFirst('id = '.$report_id);

It must be changed to:

$report = SaeReport::findFirstById($report_id);


17.2k
edited Oct '14

Would it also be acceptable to do

$report = SaeReport::findFirst('id = '.$this->request->getPost('id','int'));

?



84.0k
edited Oct '14

$this->request->getPost('id','int') would sanitize the input to allow integer digits numbers/characters, note that depending on the input this might not produce valid integers:

$f = new Phalcon\Filter;
echo $f->sanitize('ksld091209j210jdkd1-dksl;dks-dq.d.d.dkdkdskd022020101010101101ekkdkdd', 'int');

Produces

0912092101--022020101010101101

Which means:

$report = SaeReport::findFirst('id = 0912092101--022020101010101101');

This would return any unexpected record and it's also not PHQL friendly: http://docs.phalconphp.com/en/latest/reference/models-cache.html#caching-of-phql-planning



17.2k

OK so then how would I accomplish something like this:

$report = SaeReport::findFirst('param1 = '.$param1.' AND param2 = '.$param2');

While still properly handling SQL injections?



84.0k
edited Oct '14

Using bound parameters:

$report = SaeReport::findFirst(['param1 = ?0 AND param2 = ?1', 'bind' => [$param1, $param2]]);

http://docs.phalconphp.com/en/latest/reference/models.html#binding-parameters



17.2k

OK so that solves my SQL injection, but what you are telling me is that there is no way to render a form element so that its contents cannot be edited?