Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#31 2019-12-22 20:58:38
- jakob
- Admin
- From: Germany
- Registered: 2005-01-20
- Posts: 4,033
- Website
Re: custom field value as a variable for link and category name
etc wrote #320659:
If you manage to somehow insert
%one%
and%two%
into URL, this could work provided they don’t make part of longer values.
Thanks! That was a good tip.
I understand I could get false matches when the query string happens to occur in two possible values in the same multi-item value, but for this site I seem to get identical results to the existing/old site using gerhard’s old plugin (probably because the query strings are relatively long and dissimilar).
With match
alone, I didn’t get the desired results, but with match
AND the additional specification of the match value surrounded by added %
gives me good results. This is what I have:
<txp:variable name="this_project_type"><txp:page_url type="project_type" /></txp:variable>
<txp:variable name="this_project_clientele"><txp:page_url type="project_clientele" /></txp:variable>
<txp:variable name="this_project_form"><txp:page_url type="project_form" /></txp:variable>
...
<txp:article limit="100" form="project_profile" listform="project_list"
match="project_type,project_clientele,project_form"
project_type='%<txp:variable name="this_project_type" />%'
project_clientele='%<txp:variable name="this_project_clientele" />%'
project_form='%<txp:variable name="this_project_form" />%' />
This avoids having to add %
-chars into the url query. It also seems to play well with query strings that have a %-sign in them, i.e. an encoded slash or space. Is it perhaps wiser to urldecode
those?
One more question: is this setup safe security-wise?
(At present I’m not filtering by combinations of these, so haven’t had to apply them together).
TXP Builders – finely-crafted code, design and txp
Offline
#32 2019-12-22 21:26:02
- etc
- Developer
- Registered: 2010-11-11
- Posts: 4,066
- Website
Re: custom field value as a variable for link and category name
jakob wrote #320661:
With
match
alone, I didn’t get the desired results, but withmatch
AND the additional specification of the match value surrounded by added%
gives me good results.
Then enclosing URL values in %
should work too?
This is what I have:
<txp:variable name="this_project_type"><txp:page_url type="project_type" /></txp:variable>...
There is no real need to store <txp:page_url />
in <txp:variable />
, unless you need to test its value – it’s not any faster. You also don’t need to add these cf to match
since you set them explicitly.
This avoids having to add
%
-chars into the url query. It also seems to play well with query strings that have a %-sign in them, i.e. an encoded slash or space. Is it perhaps wiser tourldecode
those?
A numeric value preceded by %
in URL will be urldecoded, so yes, this makes adding %
to the query hazardous. On the other hand, <txp:page_url />
HTML-escapes its output by default which could be problematic if URL values contain <,>,',"
. You might want to add escape=""
to <txp:page_url />
passed to cf.
One more question: is this setup safe security-wise?
All values inserted into db queries internally are sanitized, so it should be ok as long as you don’t output/insert them yourself.
Offline
#33 2019-12-22 21:38:22
- jakob
- Admin
- From: Germany
- Registered: 2005-01-20
- Posts: 4,033
- Website
Re: custom field value as a variable for link and category name
etc wrote #320662:
Then enclosing URL values in
%
should work too?
Yes, it did! Then match without explicit values would work too as you say, but I got %-signs in my headings (which I could strip out I suppose).
There is no real need to store
<txp:page_url />
in<txp:variable />
I had done that already to use them for headings and to make the selected states of the select drop-downs.
You also don’t need to add these cf to
match
since you set them explicitly.
I found that it worked just with match
as you had suggested. If I used explicit values without specifying match
but without the %-signs (i.e. if I didn’t happen to have multi-item values) I didn’t get the right matches. The custom fields that were empty resulted in combo-queries rather than ignoring them. With the %-signs it works again (I guess because when a custom field is not set, you end up with custom_field="%%"
which is a general match).
A numeric value preceded by
%
in URL will be urldecoded, so yes, this makes adding%
to the query hazardous.
I guessed that was probably the reason why it worked.
On the other hand,
<txp:page_url />
HTML-escapes its output by default which could be problematic if URL values contain<,>,',"
. You might want to addescape=""
to<txp:page_url />
passed to cf.
I don’t have those at present, but that would be a good idea.
All values inserted into db queries internally are sanitized, so it should be ok as long as you don’t output/insert them yourself.
Excellent. I thought so too, but wanted to be sure :-)
TXP Builders – finely-crafted code, design and txp
Offline
#34 2019-12-22 21:51:23
- etc
- Developer
- Registered: 2010-11-11
- Posts: 4,066
- Website
Re: custom field value as a variable for link and category name
jakob wrote #320663:
The custom fields that were empty resulted in combo-queries rather than ignoring them.
Yes, if a cf is set (even empty) in URL, it will be taken into account. If they come from, say, <select />
combo, the ‘empty’ value should be represented by %
.
We have yet time to tweak it before 4.8 release. A possible fix is allowing %
in match
attribute: match="%cf"
could be transformed in
cf LIKE '%cf_value'
Offline