views:

15

answers:

2

I'm implementing HTML sanitization for form fields, on the beforeSave() method of a model. But it doesn't work.
Example:

public function beforeSave()
{
  $this->anAttribute = 'somevalue';
  var_dump( $this->anAttribute );
}

somevalue is actually outputted, but it never gets to the DB, so in between beforeSave() and save() the value is lost and what's saved is the original form field value.

A: 

How about using afterValidate() instead of beforeSave() ?

galymzhan
Do not user afterValidate() to store values, values will get updated before save it will produce some issues
JKS
Yes, actually there's a model that doesn't have validation, the user can enter whatever they want in any field, including nothing, but the input has still to be sanitized to remove HTML and therefore XSS.
Petruza
+1  A: 

You have to change your line

public function beforeSave()
{
  $this->anAttribute = 'somevalue';
  return true;
}
JKS
Thanks! that was it. Also had to call parent::beforeSave()
Petruza