Download the PHP package gajus/dora without Composer
On this page you can find all versions of the php package gajus/dora. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Package dora
Short Description Input generation library for value resolution, data persistence, templates, CSRF and protection from XSS.
License BSD-3-Clause
Homepage https://github.com/gajus/dora
Informations about the package dora
Dora
Input generation library for value resolution, data persistence, templates, CSRF and protection from XSS.
Documentation
This document serves as Dora API documentation. If you prefer, you can learn Dora API while browsing the interactive demonstration and use this document for the API reference.
Form
Form
is a data container.
Input
generated using an instance of the Form
will inherit Form
data.
Input
with name "foo" will inherit "Heeeere's...Johnny!" value:
Input
can be any type of HTML input.
Input
name can resolve value from an array:
When Input
is declared using variable array syntax, Input
index (ie., order in which Input
is generated) will be matched against the value with the respective index in the data array.
Input
Input is a standalone entity defined with four parameters. Only the first parameter is required.
Most of the time, Form
will act as a factory to produce Input
(like in all the examples on this page).
HTML attributes
HTML attributes that are added to the generated input. All attributes will be taken literally except "type". "type" attribute will change the actual input type, e.g. "select" will make input <select>
, "textarea" will make it <textarea>
.
Input Properties
Input properties are used at the time of generating the input template.
Name | Description |
---|---|
name |
Name is not a required property. Input name property is used when input is used in template, e.g. for the label. If input name property is not provided, English name will be derived from the "name" attribute, e.g. foo[bar_tar_id] will come out as "Foo Bar Tar". |
options |
options property is not required. This proprety is for <select> input type. Passing this property will assume that input type is "select". |
Template
Input
can be dressed using a Template
. Template
is utilsed when input is casted into a string. Form
template will become the default template for all the Input
generated using an instance of that Form
:
"Gajus\Dora\Template\Traditional" is the default template. null
will return input without template.
Traditional Template
Traditional template consists of label, input and optional description.
Styling
Dora or the Traditional template does not impose style. The example of styling the Tranditional layout is for illustration purposes only.
Writing a Template
Template class must extend Gajus\Dora\Template
.
Refer to the existing templates to learn more.
CSRF
Form generated using Dora need to be signed:
The generated signature consists of UID
and CSRF
tokes:
UID
is used to recognise the an instance of theForm
that has been used to generate the input. UID does not change between requests.CSRF
is used to validate user session.
Use isSubmitted
method to catch when the Form is submitted, e.g.
Do not use:
The above example allows CSRF vulnerability.
To bypass CSRF validation but continue to benefit from the UID form recognition, use isSubmitted(false)
.
If you are not familiar with cross-site request forgery (CSRF, pronounced "sea-surf"), read:
- http://shiflett.org/articles/cross-site-request-forgeries
- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Post/Redirect/Get
Dora assumes that application is designed using Post/Redirect/Get pattern. Dora will not populate form upon POST request because it is assumed that POST request will result in a redirect. Dora will copy POST data and store it in a temporary session. This is achieved using composer, then this script is automatically included in every request.
Data Persistence
Using the Post/Redirect/Get pattern requires special handling of user input. If you want to return user to the form after POST event (e.g. in case of an error), you do not want to make user re-enter all the values all over again. Dora utilises $_SESSION['gajus']['dora']['flash']
variable to copy $_POST
data for one Post/Redirect/Get cycle. If you return user to the form after POST, form will be populated with the originally submitted data.
Installation
The recommended way to use Dora is through Composer.