Cleaning up SMARTY data

DylanButler · 05-21-2007, 11:17 AM

RESOLVED

**Eric** · 05-21-2007, 01:03 PM

Quote:

Originally Posted by DylanButler

Hi,
I am building a 'comment section' for my music video web site. It uses SMARTY display templates and I need to clean up the data returned from the DB before parsing it to HTML.

Here is my insert code:

Code:

$name = addslashes($name);
$message = addslashes($message);
$query = mysql_query("INSERT INTO comments (name, message, item_id, date_added) values ('$name', '$message', $item_id, '$date')") or die('Could not insert');

item.php:

Code:

$comments =& DBI::getAll(
    'SELECT c.name, c.message, c.date_added ' .
    'FROM comments c ' .
    'WHERE c.item_id = ' . DBI::quote($id)
    );

Template::set('comments', $comments);

//Tried this and does not work.
Template::set('comments.name', stripslashes($comments['name']));

and the display template:

Code:

{foreach from=$comments item=comment}
<div class="comment">
Name: {$comment.name}<br />
Message: {$comment.message}<br />
<small>Posted on: {$comment.date_added}</small>
</div>
{/foreach}

Is there a way to clean up $comment.name and $comment.message? Do I have to do it from inside the loop? I can't figure out how to make PHP run in the display template.

EDIT: Also, how can I strip out malicious code in both fields? Thanks!

Help Appreciated

You could try this, as your template code:

Code:

{foreach from=$comments item=comment}
<div class="comment">
Name: {$comment.name|strip_tags|replace:'\\'':''}<br />
Message: {$comment.message|strip_tags|replace:'\\'':''}<br />
<small>Posted on: {$comment.date_added|strip_tags|replace:'\\'':''}</small>
</div>
{/foreach}

or...

PHP Code:

  $comments =& DBI::getAll(

    'SELECT c.name, c.message, c.date_added ' .

    'FROM comments c ' .

    'WHERE c.item_id = ' . DBI::quote($id)

    );

$comments = array_map('stripslashes', $comments);

 
Template::set('comments', $comments);

DylanButler · 05-21-2007, 01:14 PM

Quote:

Originally Posted by SecondVersion

You could try this, as your template code:

Code:

{foreach from=$comments item=comment}
<div class="comment">
Name: {$comment.name|strip_tags|replace:'\\'':''}<br />
Message: {$comment.message|strip_tags|replace:'\\'':''}<br />
<small>Posted on: {$comment.date_added|strip_tags|replace:'\\'':''}</small>
</div>
{/foreach}

or...

PHP Code:

  $comments =& DBI::getAll(

    'SELECT c.name, c.message, c.date_added ' .

    'FROM comments c ' .

    'WHERE c.item_id = ' . DBI::quote($id)

    );

$comments = array_map('stripslashes', $comments);

 
Template::set('comments', $comments);

Cool cool, but each doesn't quite work.

First one returns this error:
Fatal error: Smarty error: [in item.tpl line 83]: syntax error: unrecognized tag: $comment.name|strip_tags|replace:'\\'':'' (Smarty_Compiler.class.php, line 415) in Smarty.class.php on line 1084

Second one (I'd prefer to do it this way) returns the letter 'A' for all of the results for some reason.

Also, is there anything anyone recommends as far as inserting the data?

**Eric** · 05-21-2007, 01:24 PM

Ok, try this then

PHP Code:

   
function clean(&$value)

{

    if (is_array($value))

    {

        foreach ($value AS $key => $val)

        {

            if (is_string($val))

            {

                $value["$key"] = trim(stripslashes($val));

            }

            else if (is_array($val))

            {

                clean($value["$key"]);

            }

        }

    }

}

 
$comments =& DBI::getAll(

    'SELECT c.name, c.message, c.date_added ' .

    'FROM comments c ' .

    'WHERE c.item_id = ' . DBI::quote($id)

    );

clean($comments);

 
Template::set('comments', $comments);

Edit: also, I'd suggest using www.php.net/mysql_real_escape_string or www.php.net/mysql_escape_string over addslashes when inserting.

DylanButler · 05-21-2007, 01:53 PM

Nice! It worked thanks a lot Eric.

I threw in some strip_tags() in there and we are set.

--RESOLVED--

Dan · 05-21-2007, 02:08 PM

I've never used SMARTY or whatever it is, and so that seems kind of pointless to me. It looks like all it's doing is kind of putting code into an HTML file without using PHP. You might as well just use a PHP file and run the code, so it's more flexible. (I'm probably way off on that, but that's how it looks to me.)

I've tried using Django (Python) which uses template files. It seems like a cool idea, but it's easier for me in PHP to just use the dynamic code throughout the template.

abdussamad · 05-24-2007, 02:15 PM

Quote:

Originally Posted by Dan

I've never used SMARTY or whatever it is, and so that seems kind of pointless to me. It looks like all it's doing is kind of putting code into an HTML file without using PHP. You might as well just use a PHP file and run the code, so it's more flexible. (I'm probably way off on that, but that's how it looks to me.)

I've tried using Django (Python) which uses template files. It seems like a cool idea, but it's easier for me in PHP to just use the dynamic code throughout the template.

Smarty is easier for non-coders aka designers to learn. The syntax is less strict and it its also more forgiving of mistakes. For example you don't need to end every line with a semi colon and if you refer to a variable that doesn't exist smarty won't choke.

The other advantage is that it allows you to separate the programming logic from the presentation. If you're using PHP for your templates you're allowing each and every designer access to your core code.

The disadvantage, as you pointed out, is that it is harder for the programmer to integrate smarty into his script.

05-21-2007, 11:17 AM	#1 (permalink)
DylanButler NamePros Regular Join Date: Jan 2006 Location: San Diego, CA Posts: 704 0.00 NP$ (Donate)	Cleaning up SMARTY data RESOLVED __________________ :great: -Dylan Butler EXAMP - San Diego Web Design Last edited by DylanButler; 05-21-2007 at 01:53 PM.

05-21-2007, 01:24 PM	#4 (permalink)
Eric NPQ's PA, Slave, and On Call Coder Technical Services Join Date: Mar 2005 Posts: 4,545 0.71 NP$ (Donate)	Ok, try this then PHP Code: function clean(&$value) { if (is_array($value)) { foreach ($value AS $key => $val) { if (is_string($val)) { $value["$key"] = trim(stripslashes($val)); } else if (is_array($val)) { clean($value["$key"]); } } } } $comments =& DBI::getAll( 'SELECT c.name, c.message, c.date_added ' . 'FROM comments c ' . 'WHERE c.item_id = ' . DBI::quote($id) ); clean($comments); Template::set('comments', $comments); Edit: also, I'd suggest using www.php.net/mysql_real_escape_string or www.php.net/mysql_escape_string over addslashes when inserting. __________________

05-21-2007, 01:53 PM	#5 (permalink)
DylanButler NamePros Regular Join Date: Jan 2006 Location: San Diego, CA Posts: 704 0.00 NP$ (Donate)	Nice! It worked thanks a lot Eric. I threw in some strip_tags() in there and we are set. --RESOLVED-- __________________ :great: -Dylan Butler EXAMP - San Diego Web Design

05-21-2007, 02:08 PM	#6 (permalink)
Dan Buy my domains. Join Date: Feb 2006 Posts: 2,801 56.00 NP$ (Donate)	I've never used SMARTY or whatever it is, and so that seems kind of pointless to me. It looks like all it's doing is kind of putting code into an HTML file without using PHP. You might as well just use a PHP file and run the code, so it's more flexible. (I'm probably way off on that, but that's how it looks to me.) I've tried using Django (Python) which uses template files. It seems like a cool idea, but it's easier for me in PHP to just use the dynamic code throughout the template.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Technical Services

Technical Services