Typo3, Formhander and the eval() of death

I was working on a typo3 site again that uses formhandler. Formhandler advertises it's strength as being usable for building

rock solid, state of the art forms in TYPO3 the easy way.

I'll give the extension that you can build complex forms with it. I wouldn't exactly call it easy or intutive though. I mean, the simple example has you editing stuff in a dozen or so locations. But it's typo3 after all, so it's enterprisy.

But on campaign launch day I found entries in the webserver's error log like:

PHP Parse error:  syntax error, unexpected ')' in /path/to/typo3conf/ext/formhandler/Classes/Controller/Tx_Formhandler_Controller_Form.php(1073) : eval()'d code on line 1, referer: <bla>

What.. the.. eval? Ok, let's check out that code.

$finalCondition = '(' . implode(' || ', $orConditions) . ')';
eval('$evaluation = ' . $finalCondition . ';');

I was flabbergasted why on earth there would be an eval in there. I thought formhandler was supposed to be the good form extension! Rock solid, state of the art, MVC, modular, modern, smart. So why was it trying to eval() what turned out to be "((FALSE))"?

Anyway, from the code it wasn't too hard to figure out what was going on, the $orConditions kind of gives it away as I had just added some conditional form field validation the day before. It turns out the problem lied in a condition like:

isTrue {
  # Make settings for a different step 3
  3 {
    templateSuffix = _alternative
    validators.1.config.disableErrorCheckFields = firstname,lastname,email
  }
}

If you compare this snippet to the example in the docs, you'll see an empty else block there. It turns out formhandler really really wants you to use that empty else block in your typoscript configuration if you don't want formhandler to throw 500s at your users. Typoscript is a declarative configuration language.

Like this:

isTrue {
  # Make settings for a different step 3
  3 {
    templateSuffix = _alternative
    validators.1.config.disableErrorCheckFields = firstname,lastname,email
  }
}
else {
  # Do something if the condition was not true. This will not be needed often.
}

This won't be needed often, but the hell you omit the empty block.

0 comments

Reply

Cancel reply
Markdown. Syntax highlighting with <code lang="php"><?php echo "Hello, world!"; ?></code> etc.
Latest updates
  1. Using dnsmasq to isolate DNS queries
  2. Cannot resolve login.wifionice.de under Linux
  3. Script to get filename stats
  4. mosh can't connect despite open firewall
  5. The anti business license
  6. Bram Moolenaar has passed away
  7. pkg_resources InvalidVersion: Invalid version
  8. Command line split that understands quotes
  9. Clean out /lib/modules on Debian systems
  10. Get random file recursively with home assistant
DjangoPythonBitcoinTuxDebianHTML5 badgeSaltStackUpset confused bugMoneyHackerUpset confused bugX.OrggitFirefoxWindowMakerBashIs it worth the time?i3 window managerWagtailContainerIrssiNginxSilenceUse a maskWorldInternet securityPianoFontGnuPGThunderbirdJenkinshome-assistant-logo
Latest comments
  1. I met Bram only a few times but used his software for over 30 years. …
  2. Like the title of the post says, this is about private keys, not public ones.
  3. Well, for one you are not importing your public key. You are exporting your secret …
  4. Works for me
  5. I like this idea but could it cause any problems?