Feature #4542 - Add decimalFormat server-side pattern check

317d1ff6 · Elias Villiger · 13079a52 · 317d1ff6 · 317d1ff6 · 317d1ff6
Commit 317d1ff6 authored Feb 01, 2018 by Elias Villiger
--- a/extension/qfq/qfq/AbstractBuildForm.php
+++ b/extension/qfq/qfq/AbstractBuildForm.php
@@ -1378,13 +1378,13 @@ abstract class AbstractBuildForm {
     * Construct HTML Input attribute for Client Validation:
     *
     *   type     data                      result
-     *   -------  -----------------------
-     *   ------------------------------------------------------------------------------- min|max  <min value>|<max
-     *   value>   min="$attrData[0]"|max="$attrData[1]" pattern  <regexp>                  pattern="$data" digit
-     *   -                         pattern="^[0-9]*$" email    -
-     *   pattern="^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$" alnumx   -
+     *   -------  -----------------------   ----------------------------------------------------------------
+     *   pattern  <regexp>                  pattern="$data"
+     *   digit    -                         pattern="^[0-9]*$"
+     *   email    -                         pattern="^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"
+     *   alnumx   -
     *
-     * For 'min/max' and 'pattern' the 'data' will be injected in the attribute string via '%s'.
+     * For 'pattern' the 'data' will be injected in the attribute string via '%s'.
     *
     * @param string $type
     * @param string $data
@@ -1642,6 +1642,44 @@ abstract class AbstractBuildForm {
        return $items;
    }

+
+    /**
+     * Get the size and decimal-point precision of a number from the table definition.
+     * Returns an array with the first item being the size, the second item being the precision.
+     * Returns null when no info found.
+     *
+     * @param string $column
+     *
+     * @return array
+     */
+    private function getDecimalSize($column) {
+        // Get column definition
+        $fieldTypeDefinition = $this->store->getVar($column, STORE_TABLE_COLUMN_TYPES);
+
+        if ($fieldTypeDefinition === false)
+            return null; // not part of the table definition
+
+        $fieldTypeInfoArray = preg_split("/[()]/", $fieldTypeDefinition);
+        switch ($fieldTypeInfoArray[0]) {
+            case 'decimal':
+            case 'float':
+            case 'double':
+            case 'real':
+                $sizeAndPrecision = explode(",", $fieldTypeInfoArray[1]);
+                return [ $sizeAndPrecision[0], $sizeAndPrecision[1] ];
+
+            case 'int':
+            case 'tinyint':
+            case 'smallint':
+            case 'mediumint':
+            case 'bigint':
+                return [ $fieldTypeInfoArray[1], 0 ];
+
+            default:
+                return null;
+        }
+    }
+
    /**
     * For CheckBox's with only one checkbox: if no parameter:checked|unchecked is defined, take defaults:
     *

--- a/extension/qfq/qfq/Constants.php
+++ b/extension/qfq/qfq/Constants.php
@@ -858,6 +858,7 @@ const FE_PLACEHOLDER = 'placeholder';

 // FormElement columns: via parameter field
 const FE_DATE_FORMAT = 'dateFormat';  // value: FORMAT_DATE_INTERNATIONAL | FORMAT_DATE_GERMAN
+const FE_DECIMAL_FORMAT = 'decimalFormat'; // value: 10,2
 const FE_SHOW_SECONDS = 'showSeconds';  // value: 0|1
 const FE_SHOW_ZERO = 'showZero';  // 0|1 - Used for 'date/datime/time': in case of fe.value='0' shows corresponding '00-00-0000'|'00:00:00'
 const FE_HIDE_ZERO = 'hideZero';  // 0|1 - In case of fe.value=0|'0', an empty string is shown.

--- a/extension/qfq/qfq/helper/Sanitize.php
+++ b/extension/qfq/qfq/helper/Sanitize.php
@@ -34,13 +34,14 @@ class Sanitize {
     * @param string $value value to check
     * @param string $sanitizeClass
     * @param string $pattern Pattern as regexp
+     * @param array $decimalFormat with [ size, precision ]
     * @param string $mode SANITIZE_EXCEPTION | SANITIZE_EMPTY_STRING
     *
     * @return string
     * @throws UserFormException
     * @throws \qfq\CodeException
     */
-    public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $pattern = '', $mode = SANITIZE_EMPTY_STRING) {
+    public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $pattern = '', $decimalFormat = null, $mode = SANITIZE_EMPTY_STRING) {
        // Prepare pattern check
        switch ($sanitizeClass) {
            case SANITIZE_ALLOW_PATTERN:
@@ -62,6 +63,14 @@ class Sanitize {
                throw new CodeException("Unknown checkType: " . $sanitizeClass, ERROR_UNKNOWN_CHECKTYPE);
        }

+        // decimalFormat
+        if ($decimalFormat !== null) {
+            if ($sanitizeClass !== SANITIZE_ALLOW_PATTERN && $sanitizeClass !== SANITIZE_ALLOW_DIGIT) {
+                // overwrite pattern
+                $pattern = getDecimalFormatPattern($decimalFormat);
+            }
+        }
+
        // Pattern check
        if ($pattern === '' || preg_match("/$pattern/", $value) === 1) {
            return $value;
@@ -115,6 +124,17 @@ class Sanitize {
        return '';
    }

+    /**
+     * Returns the regexp pattern to match a decimal number with the format in $decimalFormat.
+     *
+     * @param array $decimalFormat with [ size, precision ]
+     *
+     * @return string
+     */
+    public static function getDecimalFormatPattern($decimalFormat) {
+        return "^[0-9]{0,$decimalFormat[0]}(\.[0-9]{0,$decimalFormat[1]})?$";
+    }
+
    /**
     * @return array
     */