Hi,
I'm building a form with a php code in the markup component that retrieve a unique node title depending on the current connected user and some other filters.
so I end with a $title value, and build a little contextual text with some contextual links in the top of the form thanks to it.

but I'd also like to add that $title value as a value into the form.

I also tried the hidden component, which is very useful thanks about that, but it lacks the possibility to add some code to generate a value, for some case the token way is not applicable.

could you please give me some info about a way to achieve that ?
thanks,
Jerome

Comments

quicksketch’s picture

quicksketch
he/him
commented

I don't think what you're trying to do is possible in Webform through the UI. You definitely shouldn't be putting PHP code into a markup component. If you want to modify the field default values, you should use hook_form_alter() in a custom module. Unfortunately any custom coding like this is way outside the scope of help I provide in the Webform issue queue. I suggest reading up on tutorials on how to alter forms, like this article: http://www.lullabot.com/articles/modifying-forms-drupal-5-and-6

littleneo’s picture

littleneo commented

thanks for the link.
I red about this 'module way', yes, ok.. it looks disproportionnate but ok.

I also like to know for which security concern this php snippet feature is not available.. ? it was in earlier version I believe (define a form value by server-side code).
I don't get it. to my little knowledge of drupal API and core and http server-side security, it seems to be the same issues than adding some php code to a block or to the cck computed field : grant php rights carefully to authenticated user, and afaik, no security issue with anonymous visitors... ? so if you plan to switch webform fields to cck ones as I red somewhere, the security thing will remain (computed field for example).. ?

anyway, php support as in webform 2.x versions :
http://drupal.org/handbook/modules/webform/submission-code
to write a snippet that ends with :
%value[blah]=$blah
could be made in 3.x with :
http://drupal.org/project/webform_php

is the webform php module suitable for my kind of "omg its too dangerous" need ?
thanks, Jerome

ps : as your will is to prevent php use in webform, unfortunately for me :) , the markup type code should be revisited.

quicksketch’s picture

quicksketch
he/him
commented

I also like to know for which security concern this php snippet feature is not available.. ?

How about this?

db_query("DROP DATABASE drupal");

PHP is ludicrously dangerous. It should never be allowed to be executed by an end-user.

littleneo’s picture

littleneo commented

lol. oh wow I didn't know that command. looks very powerful. you shouldn't publish such hacks here.

seriously and sorry if I'm not clear (english is not my natural language) : I would be more interested about how an ANONYMOUS VISITOR or a site member with no php rights, (and neither the webform admin ones in my case..) could break my db, using the php feature as in webform2. and the webmaster is neither high nor psycho.

if you mean that an user was able to paste malicious code in one of the fields of a webform and send it, it's another problem than allow the webmaster to add some PHP code to generate values BEFORE the page is sent.

ok nevermind, could you just tell me if webform php module is suitable for my needs, as the hook_form_alter() ?
I see on your page that it's a beta release.

thanks.

quicksketch’s picture

quicksketch
he/him
commented

I think the only way to accomplish what you're trying to do is through hook_form_alter() in a custom module. Even Webform PHP module wouldn't help you with changing the default values of form elements.

Regarding how dangerous PHP is: It's only as dangerous as the user filling out the "PHP code" fields. Hopefully you'd never allow an end user to type PHP into a textfield. However, that doesn't mean that some people don't allow this anyway because they don't know what they're doing.

littleneo’s picture

littleneo commented
Status: Active » Closed (fixed)

compared to the other cms I know, Drupal is the more versatile and flexible and my favorite for this. I understand the will to make it more easier and safer to use, as it's a bit tricky to understand at the beginning compared to other, less 'open-minded', cms. but I don't fully agree with your point of view, to restrict webform features to prevent beginners to create security holes, as a brief guideline could be provided about such php feature (risks, recommandations, webmaster duties..) and as the drupal core itself, computed cck field etc permit to add such php snippets.

BUT webform is a really great module, and an excellent alternative to the default contact form, so thanks a lot for this work and your answers.

druplicate’s picture

druplicate commented
Version: 6.x-3.4 » 6.x-3.6
Component: Documentation » Code
Status: Closed (fixed) » Active

I need some clarification on this...

I use the markup component (where it specifically states you can use PHP, and allows the PHP input filter to be selected) to execute this code:

<?php 
$var = $_GET['q'];
echo " NID: " . substr($var,5);
?>

All this does is parse the typical URL, .../node/12345, and spit out "NID: 12345" on the form.

Why would this be a security risk given that the user has no place to insert code?

The problem with this is that I additionally want the NID to be saved in the form, but it isn't.

I use another (hidden) component to save the NID using the token "%get[q]" but it prints as "node/12345" and I just want the NID. Can't use PHP anywhere else in Webform, so what to do?

I think this is a common use case where we want to save the NID of the page where the Webform resides.

I believe there would be a security risk (SQL injection?) if you were trying to get the URL alias in which case you'd have to do something like this:

<?php
function aarg_url($index = NULL, $path = NULL)
{
  if (!isset($path)) {
    $path = check_plain(drupal_get_path_alias($_GET['q']));
  }
  if (!isset($arguments[$path])) {
    $arguments[$path] = explode('/', $path);
  }
  if (!isset($index)) {
    return $arguments[$path];
  }
  if (isset($arguments[$path][$index])) {
    return $arguments[$path][$index];
  }
}

return aarg_url(1);
?>

Am I right on this?

quicksketch’s picture

quicksketch
he/him
commented
Status: Active » Closed (fixed)

All this does is parse the typical URL, .../node/12345, and spit out "NID: 12345" on the form.
Why would this be a security risk given that the user has no place to insert code?

It would not be a security risk. That's the long, on-going topic over at #428982: New hooks for additional token replacements.

I'm closing this issue again since it seems that token support is what you're after.

druplicate’s picture

druplicate commented

My original application displayed the Webform as a block. I changed it to open a jQuery pop-up window with the webform, from a link. You can pass arbitrary variables in a query string appended to the href attribute and then extract them using the available Webform token, %get[q]. Just substitute whatever variable name you use in the query string, for "q", as follows:

In my particular tpl.php template, the anchor tag for the "Inquire" button passed the nid of the page the button was on (12345 is the nid of the webform):

<a id="inquiry" href="/node/12345?name=<?php print ($node->nid);?>">Inquire</a>

Then just use the token $get[name] in your component field (I used a hidden field).

As for the pop-up, I used the jQuery pop-up module and just set the "jQuery link selector" field to #inquiry.

Then if you want to custom style the pop-up display, you have to create your own version of webform-form.tpl.php as explained in the theming.txt file in the webform module directory. If you are ok with the form layout, and just want to clean up the form and get rid of the page header, sidebars, etc, make your own version of page.tpl.php, as: page-node-[nid].tpl.php and delete all the extraneous stuff, and change any CSS ids or classes to style it the way you want.

vantuykom’s picture

vantuykom commented

I want to use the markup component to get a value using a function, but all it shows is the code as a string
I need to show the users current userpoints with print userpoints_get_current_points($user->uid);
no php is executed...