Textpattern CMS support forum

You are not logged in. Register | Login | Help

#31 2019-12-22 20:58:38

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,662
Website

Re: custom field value as a variable for link and category name

etc wrote #320659:

If you manage to somehow insert %one% and %two% into URL, this could work provided they don’t make part of longer values.

Thanks! That was a good tip.

I understand I could get false matches when the query string happens to occur in two possible values in the same multi-item value, but for this site I seem to get identical results to the existing/old site using gerhard’s old plugin (probably because the query strings are relatively long and dissimilar).

With match alone, I didn’t get the desired results, but with match AND the additional specification of the match value surrounded by added % gives me good results. This is what I have:

<txp:variable name="this_project_type"><txp:page_url type="project_type" /></txp:variable>
<txp:variable name="this_project_clientele"><txp:page_url type="project_clientele" /></txp:variable>
<txp:variable name="this_project_form"><txp:page_url type="project_form" /></txp:variable>
...
<txp:article limit="100" form="project_profile" listform="project_list" 
             match="project_type,project_clientele,project_form" 
             project_type='%<txp:variable name="this_project_type" />%'
             project_clientele='%<txp:variable name="this_project_clientele" />%'
             project_form='%<txp:variable name="this_project_form" />%' />

This avoids having to add %-chars into the url query. It also seems to play well with query strings that have a %-sign in them, i.e. an encoded slash or space. Is it perhaps wiser to urldecode those?

One more question: is this setup safe security-wise?

(At present I’m not filtering by combinations of these, so haven’t had to apply them together).


TXP Builders – finely-crafted code, design and txp

Offline

#32 2019-12-22 21:26:02

etc
Developer
Registered: 2010-11-11
Posts: 3,530
Website

Re: custom field value as a variable for link and category name

jakob wrote #320661:

With match alone, I didn’t get the desired results, but with match AND the additional specification of the match value surrounded by added % gives me good results.

Then enclosing URL values in % should work too?

This is what I have:

<txp:variable name="this_project_type"><txp:page_url type="project_type" /></txp:variable>...

There is no real need to store <txp:page_url /> in <txp:variable />, unless you need to test its value – it’s not any faster. You also don’t need to add these cf to match since you set them explicitly.

This avoids having to add %-chars into the url query. It also seems to play well with query strings that have a %-sign in them, i.e. an encoded slash or space. Is it perhaps wiser to urldecode those?

A numeric value preceded by % in URL will be urldecoded, so yes, this makes adding % to the query hazardous. On the other hand, <txp:page_url /> HTML-escapes its output by default which could be problematic if URL values contain <,>,',". You might want to add escape="" to <txp:page_url /> passed to cf.

One more question: is this setup safe security-wise?

All values inserted into db queries internally are sanitized, so it should be ok as long as you don’t output/insert them yourself.

Offline

#33 2019-12-22 21:38:22

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,662
Website

Re: custom field value as a variable for link and category name

etc wrote #320662:

Then enclosing URL values in % should work too?

Yes, it did! Then match without explicit values would work too as you say, but I got %-signs in my headings (which I could strip out I suppose).

There is no real need to store <txp:page_url /> in <txp:variable />

I had done that already to use them for headings and to make the selected states of the select drop-downs.

You also don’t need to add these cf to match since you set them explicitly.

I found that it worked just with match as you had suggested. If I used explicit values without specifying match but without the %-signs (i.e. if I didn’t happen to have multi-item values) I didn’t get the right matches. The custom fields that were empty resulted in combo-queries rather than ignoring them. With the %-signs it works again (I guess because when a custom field is not set, you end up with custom_field="%%" which is a general match).

A numeric value preceded by % in URL will be urldecoded, so yes, this makes adding % to the query hazardous.

I guessed that was probably the reason why it worked.

On the other hand, <txp:page_url /> HTML-escapes its output by default which could be problematic if URL values contain <,>,',". You might want to add escape="" to <txp:page_url /> passed to cf.

I don’t have those at present, but that would be a good idea.

All values inserted into db queries internally are sanitized, so it should be ok as long as you don’t output/insert them yourself.

Excellent. I thought so too, but wanted to be sure :-)


TXP Builders – finely-crafted code, design and txp

Offline

#34 2019-12-22 21:51:23

etc
Developer
Registered: 2010-11-11
Posts: 3,530
Website

Re: custom field value as a variable for link and category name

jakob wrote #320663:

The custom fields that were empty resulted in combo-queries rather than ignoring them.

Yes, if a cf is set (even empty) in URL, it will be taken into account. If they come from, say, <select /> combo, the ‘empty’ value should be represented by %.

We have yet time to tweak it before 4.8 release. A possible fix is allowing % in match attribute: match="%cf" could be transformed in

cf LIKE '%cf_value'

Offline

Board footer

Powered by FluxBB