Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#31 2019-12-22 20:58:38
- jakob
- Admin
- From: Germany
- Registered: 2005-01-20
- Posts: 3,937
- Website
Re: custom field value as a variable for link and category name
etc wrote #320659:
If you manage to somehow insert
%one%and%two%into URL, this could work provided they don’t make part of longer values.
Thanks! That was a good tip.
I understand I could get false matches when the query string happens to occur in two possible values in the same multi-item value, but for this site I seem to get identical results to the existing/old site using gerhard’s old plugin (probably because the query strings are relatively long and dissimilar).
With match alone, I didn’t get the desired results, but with match AND the additional specification of the match value surrounded by added % gives me good results. This is what I have:
<txp:variable name="this_project_type"><txp:page_url type="project_type" /></txp:variable>
<txp:variable name="this_project_clientele"><txp:page_url type="project_clientele" /></txp:variable>
<txp:variable name="this_project_form"><txp:page_url type="project_form" /></txp:variable>
...
<txp:article limit="100" form="project_profile" listform="project_list"
match="project_type,project_clientele,project_form"
project_type='%<txp:variable name="this_project_type" />%'
project_clientele='%<txp:variable name="this_project_clientele" />%'
project_form='%<txp:variable name="this_project_form" />%' />This avoids having to add %-chars into the url query. It also seems to play well with query strings that have a %-sign in them, i.e. an encoded slash or space. Is it perhaps wiser to urldecode those?
One more question: is this setup safe security-wise?
(At present I’m not filtering by combinations of these, so haven’t had to apply them together).
TXP Builders – finely-crafted code, design and txp
Offline
#32 2019-12-22 21:26:02
- etc
- Developer
- Registered: 2010-11-11
- Posts: 3,873
- Website
Re: custom field value as a variable for link and category name
jakob wrote #320661:
With
matchalone, I didn’t get the desired results, but withmatchAND the additional specification of the match value surrounded by added%gives me good results.
Then enclosing URL values in % should work too?
This is what I have:
<txp:variable name="this_project_type"><txp:page_url type="project_type" /></txp:variable>...
There is no real need to store <txp:page_url /> in <txp:variable />, unless you need to test its value – it’s not any faster. You also don’t need to add these cf to match since you set them explicitly.
This avoids having to add
%-chars into the url query. It also seems to play well with query strings that have a %-sign in them, i.e. an encoded slash or space. Is it perhaps wiser tourldecodethose?
A numeric value preceded by % in URL will be urldecoded, so yes, this makes adding % to the query hazardous. On the other hand, <txp:page_url /> HTML-escapes its output by default which could be problematic if URL values contain <,>,',". You might want to add escape="" to <txp:page_url /> passed to cf.
One more question: is this setup safe security-wise?
All values inserted into db queries internally are sanitized, so it should be ok as long as you don’t output/insert them yourself.
Offline
#33 2019-12-22 21:38:22
- jakob
- Admin
- From: Germany
- Registered: 2005-01-20
- Posts: 3,937
- Website
Re: custom field value as a variable for link and category name
etc wrote #320662:
Then enclosing URL values in
%should work too?
Yes, it did! Then match without explicit values would work too as you say, but I got %-signs in my headings (which I could strip out I suppose).
There is no real need to store
<txp:page_url />in<txp:variable />
I had done that already to use them for headings and to make the selected states of the select drop-downs.
You also don’t need to add these cf to
matchsince you set them explicitly.
I found that it worked just with match as you had suggested. If I used explicit values without specifying match but without the %-signs (i.e. if I didn’t happen to have multi-item values) I didn’t get the right matches. The custom fields that were empty resulted in combo-queries rather than ignoring them. With the %-signs it works again (I guess because when a custom field is not set, you end up with custom_field="%%" which is a general match).
A numeric value preceded by
%in URL will be urldecoded, so yes, this makes adding%to the query hazardous.
I guessed that was probably the reason why it worked.
On the other hand,
<txp:page_url />HTML-escapes its output by default which could be problematic if URL values contain<,>,',". You might want to addescape=""to<txp:page_url />passed to cf.
I don’t have those at present, but that would be a good idea.
All values inserted into db queries internally are sanitized, so it should be ok as long as you don’t output/insert them yourself.
Excellent. I thought so too, but wanted to be sure :-)
TXP Builders – finely-crafted code, design and txp
Offline
#34 2019-12-22 21:51:23
- etc
- Developer
- Registered: 2010-11-11
- Posts: 3,873
- Website
Re: custom field value as a variable for link and category name
jakob wrote #320663:
The custom fields that were empty resulted in combo-queries rather than ignoring them.
Yes, if a cf is set (even empty) in URL, it will be taken into account. If they come from, say, <select /> combo, the ‘empty’ value should be represented by %.
We have yet time to tweak it before 4.8 release. A possible fix is allowing % in match attribute: match="%cf" could be transformed in
cf LIKE '%cf_value'Offline