FUDforum: comp.lang.php » Dynamic form generation

Home » Imported messages » comp.lang.php » Dynamic form generation

Show: Today's Messages :: Polls :: Message Navigator

Re: Dynamic form generation [message #177861 is a reply to message #177834]

Tue, 24 April 2012 09:10

Thomas 'PointedEars'
Messages: 701
Registered: October 2010

Karma:

Senior Member

Tony Marston wrote:

> "Thomas 'PointedEars' Lahn" <PointedEars(at)web(dot)de> wrote in message
> news:16487873(dot)YAfrjsNhc7(at)PointedEars(dot)de...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Please don't, see below.

>> Tony Marston wrote:
>>> "Jerry Stuckle" wrote:
>>>> On 4/18/2012 4:33 AM, Tony Marston wrote:
>>>> >> If a framework attempts to be "all things to all people", then that's
>>>> >> quite true. But the same is true of *any* code.
>>>> >>
>>>> >> However, a limited framework with limited goals doesn't necessarily
>>>> >> have to be the case.
>>>> >>
>>>> >> For instance, in my case - I have a framework which builds PHP
>>>> >> classes to interface to a database. It generates a lot of usable code
>>>> >> for those classes, including form handling.
>>>> >
>>>> > So you framework generates "a lot" of code, does it? My framework
>>>> > generates very small amounts of code which call shared functions or
>>>> > which inherit code from abstract classes.
>>>>
>>>> Yup, for instance, it generates all the set and get methods for the
>>>> applicable class, as well as database access code (insert/update/delete
>>>> for single rows and single rows and lists of multiple rows for SELECT).
>>>> (Most of the access code is in parent classes).
>>>
>>> My framework does not bother generating set and get methods as they are
>>> inefficient. Data goes in and comes out as an array.
>>
>> This means that you perform no type conversion or checking, or range
>> checking in the application, yes?
>
> Incorrect.

It is a yes-or-no question, therefore it cannot be incorrect.

> If my ADD controller contains the line $result => $dbobject-
> insertRecord($_POST); then the entire $_POST array is passed to
> that object. I do not have to break it down into its compnent parts and
> inject each component individually. The contents of the array is then
> validated by the framework to ensure that all columns maked as NOT NULL
> are not empty, all date fields are dates, all numeric fields are numbers
> and within range, et cetera. […]
> Just because I say that the programmer does not have to write code does
> not mean that the data is never validated. It always is, but as an
> automatic function of thre framework.

I see. How do you account for data types in the array that are not provided
by the respective database engine?

>> Setters and getters maybe are less
>> efficient than direct access, but they can provide that functionality.
>> They
>> also provide transparent access to the data model (i. e., if either your
>> requests or your database change, you do not have to change the request
>> for
>> the database or the database for the request; you just change the mapping
>> code). Using arrays does not exclude the possibility for using setters
>> and
>> getters or vice-versa, as setters and getters can be called implicitly,
>> such
>> as from a constructor.

Your quoting (not corrected here for once) sucks big time. The options you
have now are to learn to work around the shortcomings of your newsreader,
use a working one, or be ignored.

<http://insideoe.com/>

> Just because a lot of OOP tutorials show the use of getters and setters
> does not mean that I *HAVE* to use them.

No, it means that this is strong indication that there are good reasons that
you SHOULD use them (I leave it to you to find out what those reasons are;
this newsgroup is not OOP 101). Especially as PHP (by contrast to Java, for
example) provides convenient transparent access to non-public properties
with the __set() and __get() magic methods.

> I don't see why I should pass in a collection of values using multiple
> setters when I can achieve the same result by passing in the entire
> collection as a single array variable.

That is a false dichotomy, as I have explained already.

>> In the MVC-based framework I have written for my latest research, the
>> parent
>> abstract `AbstractModel' class has an inherited public map() method that
>> can
>> be passed an associative array (such as from a query result) and maps
>> array
>> elements to object properties such that either all, only the specified or
>> not the specified elements in the passed array are mapped.
>
> My database table objects do not have a separate property for each column
> within that table, so I don't need getters and setters for each column.

But in MVC, models are not data access objects.

>>>> It also generates the code necessary to validate a field. Some stock
>>>> fields (like "must be integer") have predefined validation functions.
>>> My framework does not generate any code to perform basic field
>>> validation as that is performed by a validation class which I wrote
>>> years ago.
>> So that validation class has become part of the framework, has it not?
>
> Absolutely correct.

(See above.)

So your argument that the validation class is not part of your framework is
effectively void.

>>>> It also has a function to populate the object from $_GET or $_POST
>>>> values
>>>> (with validation).
>>> I don't need a whole function to do that when a single line will do:-
>>> $result = $object->insertRecord($_POST);
>>> This means that the same line will work on any object regardless of
>>> which class it came from. That is what polymorphism is all about.
>> It also means that your HTTP POST requests are inherently bound to the
>> structure of the database (table), does it not?
>
> Why? The $_POST array is simply an associative array, and the only thing
> it is "bound" to is the HTML form which generated it. If the $_POST array
> contains any field names which do not exist in the database table then
> those fields simply will not appear in the sql query which is generated.

AIUI, the keys of the elements of the $_POST array must match that of the
field names in the database as far as they exist in the database then.
Therefore, if you have to change the application logic or if you have to
change the database, you have to change the other part.

Moreover, if at some point you do _not_ want to update a field, but the
$_POST array contains an element with a key matching a field, that field
will be updated anyway. An attacker could use that vulnerability to
manipulate your database through the application in ways that you cannot
conceive yet.

This approach also does not appear to account for the possibility that with
one request several tables need to be updated. Apropos, how you do
implement queries across several tables (JOINs) with your framework?

--
PointedEars

Report message to a moderator

[Message index]

		Dynamic form generation By: Charles on Thu, 12 April 2012 03:48
		Re: Dynamic form generation By: Jerry Stuckle on Thu, 12 April 2012 04:03
		Re: Dynamic form generation By: The Natural Philosoph on Thu, 12 April 2012 04:46
		Re: Dynamic form generation By: Michael Vilain on Thu, 12 April 2012 04:52
		Re: Dynamic form generation By: Denis McMahon on Thu, 12 April 2012 12:42
		Re: Dynamic form generation By: Charles on Fri, 13 April 2012 03:43
		Re: Dynamic form generation By: Michael Vilain on Fri, 13 April 2012 04:55
		Re: Dynamic form generation By: Denis McMahon on Fri, 13 April 2012 13:19
		Re: Dynamic form generation By: Tony Marston on Fri, 13 April 2012 08:59
		Re: Dynamic form generation By: Denis McMahon on Fri, 13 April 2012 13:22
		Re: Dynamic form generation By: Thomas 'PointedEars' on Tue, 17 April 2012 12:49
		Re: Dynamic form generation By: Jerry Stuckle on Tue, 17 April 2012 15:36
		Re: Dynamic form generation By: Tony Marston on Wed, 18 April 2012 08:33
		Re: Dynamic form generation By: Jerry Stuckle on Wed, 18 April 2012 11:59
		Re: Dynamic form generation By: Tony Marston on Thu, 19 April 2012 08:56
		Re: Dynamic form generation By: Jerry Stuckle on Thu, 19 April 2012 12:29
		Re: Dynamic form generation By: Tony Marston on Fri, 20 April 2012 08:27
		Re: Dynamic form generation By: Jerry Stuckle on Fri, 20 April 2012 11:47
		Re: Dynamic form generation By: Tony Marston on Sat, 21 April 2012 11:22
		Re: Dynamic form generation By: Jerry Stuckle on Sat, 21 April 2012 14:19
		Re: Dynamic form generation By: Tony Marston on Sun, 22 April 2012 10:45
		Re: Dynamic form generation By: Jerry Stuckle on Sun, 22 April 2012 14:09
		Re: Dynamic form generation By: Tony Marston on Tue, 24 April 2012 17:21
		Re: Dynamic form generation By: Thomas 'PointedEars' on Tue, 24 April 2012 18:56
		Re: Dynamic form generation By: Tony Marston on Wed, 25 April 2012 08:23
		Re: Dynamic form generation By: Jerry Stuckle on Tue, 24 April 2012 20:20
		Re: Dynamic form generation By: Tony Marston on Wed, 25 April 2012 09:04
		Re: Dynamic form generation By: Jerry Stuckle on Wed, 25 April 2012 12:29
		Re: Dynamic form generation By: Tony Marston on Thu, 26 April 2012 11:45
		Re: Dynamic form generation By: Thomas 'PointedEars' on Sun, 22 April 2012 17:21
		Re: Dynamic form generation By: Tony Marston on Mon, 23 April 2012 12:50
		Re: Dynamic form generation By: Thomas 'PointedEars' on Tue, 24 April 2012 09:10
		Re: Dynamic form generation By: Tony Marston on Tue, 24 April 2012 16:11
		Re: Dynamic form generation By: Thomas 'PointedEars' on Tue, 24 April 2012 16:54
		Re: Dynamic form generation By: Tony Marston on Tue, 24 April 2012 17:55
		[OT] Was: Dynamic form generation By: Erwin Moller on Wed, 25 April 2012 11:22
		Re: [OT] Was: Dynamic form generation By: The Natural Philosoph on Wed, 25 April 2012 11:46
		Re: [OT] Was: Dynamic form generation By: Tony Marston on Thu, 26 April 2012 11:51
		Re: [OT] Was: Dynamic form generation By: Erwin Moller on Fri, 27 April 2012 08:26
		[OT] Yes-or-no questions (was: [OT] Was: Dynamic form generation) By: Thomas 'PointedEars' on Sat, 28 April 2012 05:56
		Re: Dynamic form generation By: Peter H. Coffin on Sat, 14 April 2012 13:53
		Re: Dynamic form generation By: Tony Marston on Sun, 15 April 2012 07:33
		Re: Dynamic form generation By: Jerry Stuckle on Sun, 15 April 2012 12:51
		Re: Dynamic form generation By: Tony Marston on Mon, 16 April 2012 08:31
		Re: Dynamic form generation By: Jerry Stuckle on Mon, 16 April 2012 12:33
		Re: Dynamic form generation By: Tony Marston on Mon, 16 April 2012 14:11
		Re: Dynamic form generation By: Jerry Stuckle on Mon, 16 April 2012 15:18
		Re: Dynamic form generation By: Tony Marston on Tue, 17 April 2012 08:18
		Re: Dynamic form generation By: Jerry Stuckle on Tue, 17 April 2012 10:07
		Re: Dynamic form generation By: Tony Marston on Wed, 18 April 2012 08:10
		Re: Dynamic form generation By: Jerry Stuckle on Wed, 18 April 2012 12:09
		Re: Dynamic form generation By: Tony Marston on Thu, 19 April 2012 08:27
		Re: Dynamic form generation By: Jerry Stuckle on Thu, 19 April 2012 12:41
		Re: Dynamic form generation By: Tony Marston on Fri, 20 April 2012 09:10
		Re: Dynamic form generation By: Jerry Stuckle on Fri, 20 April 2012 12:09
		Re: Dynamic form generation By: Tony Marston on Sat, 21 April 2012 09:35
		Re: Dynamic form generation By: Jerry Stuckle on Sat, 21 April 2012 10:21
		Re: Dynamic form generation By: Tony Marston on Sun, 22 April 2012 09:27
		Re: Dynamic form generation By: Jerry Stuckle on Sun, 22 April 2012 14:43
		Re: Dynamic form generation By: Tony Marston on Mon, 23 April 2012 14:23
		Re: Dynamic form generation By: Jerry Stuckle on Mon, 23 April 2012 16:24
		Re: Dynamic form generation By: Tony Marston on Thu, 26 April 2012 16:29
		Re: Dynamic form generation By: The Natural Philosoph on Mon, 23 April 2012 19:37
		What Jerry Stuckle thinks of PHP programmers By: Tony Marston on Mon, 23 April 2012 13:10
		Re: What Jerry Stuckle thinks of PHP programmers By: Paul Herber on Mon, 23 April 2012 13:22
		Re: What Jerry Stuckle thinks of PHP programmers By: M. Strobel on Mon, 23 April 2012 13:27
		Re: What Jerry Stuckle thinks of PHP programmers By: Jerry Stuckle on Mon, 23 April 2012 13:33
		Re: What Jerry Stuckle thinks of PHP programmers By: Tony Marston on Mon, 23 April 2012 14:26
		Re: What Jerry Stuckle thinks of PHP programmers By: Jerry Stuckle on Mon, 23 April 2012 16:25
		Re: What Jerry Stuckle thinks of PHP programmers By: Luuk on Mon, 23 April 2012 17:45
		Re: What Jerry Stuckle thinks of PHP programmers By: The Natural Philosoph on Mon, 23 April 2012 19:35
		Re: What Jerry Stuckle thinks of PHP programmers By: Thomas 'PointedEars' on Tue, 24 April 2012 17:45
		Re: What Jerry Stuckle thinks of PHP programmers By: Tony Marston on Sat, 28 April 2012 07:48
		Re: What Jerry Stuckle thinks of PHP programmers By: The Natural Philosoph on Sat, 28 April 2012 08:23
		Re: What Jerry Stuckle thinks of PHP programmers By: Jerry Stuckle on Sat, 28 April 2012 12:37
		Re: What Jerry Stuckle thinks of PHP programmers By: Thomas 'PointedEars' on Sat, 28 April 2012 12:46
		Re: What Jerry Stuckle thinks of PHP programmers By: The Natural Philosoph on Mon, 23 April 2012 19:31
		Re: What Jerry Stuckle thinks of PHP programmers By: Ross McKay on Tue, 24 April 2012 02:32
		Re: What Jerry Stuckle thinks of PHP programmers By: Tim Streater on Tue, 24 April 2012 18:32
		Re: What Jerry Stuckle thinks of PHP programmers By: Ross McKay on Wed, 25 April 2012 09:02
		Re: What Jerry Stuckle thinks of PHP programmers By: The Natural Philosoph on Wed, 25 April 2012 11:20
		Re: Dynamic form generation By: Thomas 'PointedEars' on Sun, 22 April 2012 21:59
		Re: Dynamic form generation By: Tony Marston on Mon, 23 April 2012 13:05
		Re: Dynamic form generation By: Jerry Stuckle on Mon, 23 April 2012 13:35
		Re: Dynamic form generation By: Thomas 'PointedEars' on Mon, 23 April 2012 13:41
		Re: Dynamic form generation By: The Natural Philosoph on Mon, 23 April 2012 19:39
		Re: Dynamic form generation By: Jerry Stuckle on Mon, 23 April 2012 13:47
		Re: Dynamic form generation By: Tony Marston on Wed, 25 April 2012 07:52
		Re: Dynamic form generation By: Jerry Stuckle on Wed, 25 April 2012 12:34
		Re: Dynamic form generation By: Tony Marston on Fri, 27 April 2012 08:52
		Re: Dynamic form generation By: Tony Marston on Fri, 27 April 2012 13:16
		Re: Dynamic form generation By: Tony Marston on Thu, 12 April 2012 09:52
		Re: Dynamic form generation By: Erwin Moller on Fri, 13 April 2012 09:39
		Re: Dynamic form generation By: Jonathan Stein on Fri, 13 April 2012 13:27

Previous Topic:	Data injection problems
Next Topic:	Do you want to develop PHP for the Web and make money

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Nov 22 19:45:54 GMT 2024

Total time taken to generate the page: 0.06560 seconds