Field Type list (select) in pageView.php

8 posts by 2 authors in: Forums > CMS Builder
Last Post: February 19, 2008   (RSS)

By Djulia - February 18, 2008

Hi,

I encounter a problem for create a Menu Select.

In the editor, I created a field of the list type.
Now, I would like to obtain in productsList.php, not a value of the list, but the list with the select format.

<select name="option">
<option value="White" selected>White</option>
<option value="Grey">Grey</option>
<option value="Black">Black</option>
<option value="Green">Green</option>
<option value="Red">Red</option>
<option value="Blue">Blue</option>
</select>




Does somebody have an idea ?

Thank you for your assistance.

Djulia

Re: [Djulia] Field Type list (select) in pageView.php

By Dave - February 18, 2008

This isn't directly supported by the program. But here's some custom code that might do what you want:

<?php
$tablename = $options['tableName'];
$fieldname = 'yourFieldName';
$schema = loadSchema($tablename);
$fieldSchema = $schema[$fieldname];
$fieldOptions = getListOptionsFromSchema($fieldSchema);

foreach ($fieldOptions as $valueAndLabel) {
list($value, $label) = $valueAndLabel;
$encodedValue = htmlspecialchars($value);
$encodedLabel = htmlspecialchars($label);
print "<option value='$encodedValue'>$encodedLabel</option>\n";
}
?>


Let me know if that works for you.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Field Type list (select) in pageView.php

By Djulia - February 18, 2008 - edited: February 18, 2008

Great ! Thank you Dave. [:)]

You think that it is possible to obtain a condition for insert Selected ?

For example, on my page of search, I would like to preserve the value entered by the user.

if myFieldName[/#ff0000] eq value[/#ff0000] == selected="selected"[/#ff0000]

<form method="get" action="search.php">
<input type="text" name="..." value="..." size="15">

<select name="<?php echo $record['myFieldName'] ?>">
<option value='White'>White</option>
<option value='Grey'>Grey</option>
<option value='Black'>Black</option>
<option value='Green'>Green</option>
<option value='Red' selected="selected">[/#ff0000]Red</option>
<option value='Blue'>Blue</option>
</select>

<input type="submit" name="Search" value="Search">
</form>



That seems difficult to obtain.

Thank you for your assistance.

Djulia

Re: [Djulia] Field Type list (select) in pageView.php

By Dave - February 18, 2008

Sure, you need to have the 'value' of the previously selected option. I know you know a little PHP so I'll just pretend you have that in $selectedValue (let me know if you need more help with that part). Add this code to set it to be selected.

<?php
$selectedValue = "set this yourself";
$tablename = $options['tableName'];
$fieldname = 'yourFieldName';
$schema = loadSchema($tablename);
$fieldSchema = $schema[$fieldname];
$fieldOptions = getListOptionsFromSchema($fieldSchema);

foreach ($fieldOptions as $valueAndLabel) {
list($value, $label) = $valueAndLabel;
$isSelected = $value == $selectedValue;
$selectedAttr = $isSelected ? "selected='selected'" : '';

$encodedValue = htmlspecialchars($value);
$encodedLabel = htmlspecialchars($label);
print "<option value='$encodedValue' $selectedAttr>$encodedLabel</option>\n";
}
?>


The $isSelected line just checks to see if the current value is the same as the previously selected value. And the next line sets $selectedAttr to be blank or selected='selected' based on whether the value is selected or not.

Hope that makes sense. Let me know how it works out.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Field Type list (select) in pageView.php

By Djulia - February 19, 2008

Thank you Dave, [:)]

>> I know you know a little PHP
You overestimate me ! Your CMS is easy to use and I am helped by Google !

Your code gives the possibility of obtaining the value entered by defect by the administrator.

I would like to also preserve the value on the page of result of research.

I obtain a result with the variable _Post.[/#000000][/#ff0000]
But, I believe that it has a risk for the security with this variable.

There is another possibility ?

<select name="<?php echo $record['on1'] ?>">
<?php

$selectedValue = $_POST['Color'];[/#ff0000]
$tablename = $options['tableName'];
$fieldname = 'os1';
$schema = loadSchema($tablename);
$fieldSchema = $schema[$fieldname];
$fieldOptions = getListOptionsFromSchema($fieldSchema);

foreach ($fieldOptions as $valueAndLabel) {
list($value, $label) = $valueAndLabel;
$isSelected = $value == htmlspecialchars($selectedValue);[/#000000]
[/#ff0000] $selectedAttr = $isSelected ? "selected=\"selected\"" : '';
$encodedValue = htmlspecialchars($value);
$encodedLabel = htmlspecialchars($label);
print "<option value=\"$encodedValue\" $selectedAttr>$encodedLabel</option>\n";
}
?>




Thank you for your assistance.

Djulia

Re: [Djulia] Field Type list (select) in pageView.php

By Dave - February 19, 2008

What you have looks good. So is it working now except for the security concern?

It's only a security risk if you're passing the data directly to a database or something like that. And in that case you need to escape it. I think you're ok here since you're just doing a search.

Let me know if you want more details about that.

Hope that helps!
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Field Type list (select) in pageView.php

By Djulia - February 19, 2008 - edited: February 19, 2008

Yes, your code functions perfectly, even with _POST. [:)]

That makes it possible to have a advanced form of search.

I also found :

$selectedValue = htmlentities($_POST['Color'],[/#000000] ENT_QUOTES);[/#ff0000]

ENT_QUOTES[/#ff0000] seems interesting ?


>> And in that case you need to escape it.
You can explain ?

Thanks,


Djulia

Re: [Djulia] Field Type list (select) in pageView.php

By Dave - February 19, 2008

>> And in that case you need to escape it.
>You can explain ?

Sure, it's mostly just for MySQL queries. Basically passing user input to mysql you want to pass it through a function that will "escape" quotes. This makes ' into \'. That way MySQL knows that it's all part of the same text and not other SQL commands that should be interpreted. You don't want random website visitors being able to run SQL commands.

We have a command for this called escapeMysqlString(). So you could say:

$keyword = escapeMysqlString( $_GET['keyword'] );
$where = "myfield = '$keyword'";

And you would be fine. It only applies when passing things to MySQL such as when you define the WHERE or ORDER BY parts.

For more reading google for "SQL injection attack".
http://www.google.com/search?q=sql+injection+attack

Hope that makes sense.
Dave Edis - Senior Developer
interactivetools.com