From controller:
public function viewAction($id,$report_id){
$report = SaeReport::findFirst('id = '.$report_id);
$form = new SAEReportForm($report,array('id'=>$id));
$this->view->form = $form;
}in the view.volt, when I call form.render() is there a way at runtime to specify that I want the form element to be disabled, IE not changeable? I've tried
{{form.render('name',array('disabled'=>true))}}
but that doesn't work...
form.render only renders elements. You have to write the form using a form helper: https://github.com/phalcon/invo/blob/master/app/views/products/index.volt#L8
BTW: This makes your application vulnerable to SQL injections:
$report = SaeReport::findFirst('id = '.$report_id);It must be changed to:
$report = SaeReport::findFirstById($report_id);Would it also be acceptable to do
$report = SaeReport::findFirst('id = '.$this->request->getPost('id','int'));?
$this->request->getPost('id','int') would sanitize the input to allow integer digits numbers/characters, note that depending on the input this might not produce valid integers:
$f = new Phalcon\Filter;
echo $f->sanitize('ksld091209j210jdkd1-dksl;dks-dq.d.d.dkdkdskd022020101010101101ekkdkdd', 'int');Produces
0912092101--022020101010101101Which means:
$report = SaeReport::findFirst('id = 0912092101--022020101010101101');This would return any unexpected record and it's also not PHQL friendly: https://docs.phalcon.io/en/latest/reference/models-cache.html#caching-of-phql-planning
OK so then how would I accomplish something like this:
$report = SaeReport::findFirst('param1 = '.$param1.' AND param2 = '.$param2');While still properly handling SQL injections?
Using bound parameters:
$report = SaeReport::findFirst(['param1 = ?0 AND param2 = ?1', 'bind' => [$param1, $param2]]);https://docs.phalcon.io/en/latest/reference/models.html#binding-parameters
OK so that solves my SQL injection, but what you are telling me is that there is no way to render a form element so that its contents cannot be edited?