Forms and Data field validation againt SQL

tmccormi wrote on Wednesday, April 22, 2009:

We discovered a trap that is easy to fall in and very fraught with potential bad consequences.

The standard forms creation process does not enforce any kind of field validation with regard to the SQL field definition.

For instance:  A HTML text box on the form will take more data input by default than the SQL definition may be defined for, resulting in SILENT truncation of the text when it’s written to the table. 

Developers that are creating their own forms could implement a form and discover after the fact that patient information was irrevocably lost.

Clear documentation on the Forms development process would help.

I am wondering or the ADODB wrapper function can be used to validate incoming format with table field definitions and prevent that. 

OR

Do we need to implement AJAX functions in the custom Form/Script process and tools to make sure the developer is aware of this hazard.

PS: we’ll be sending updates to the table.sql files we put in the contribs for our forms, as we tripped on this… ugh.

Tony

ideaman911 wrote on Thursday, April 23, 2009:

Nice catch, Tony.  Agreed; that will be a usability nightmare.

Joe Holzer    Idea Man
http://www.holzerent.com

cfapress wrote on Wednesday, April 29, 2009:

Personally, I think it’s upon the form-developer’s shoulders to make sure the form functions as intended; i.e. prevent truncation of text fields. I don’t know how much time and effort we should put into validation of other people’s forms.

This gets back to the dream situation where the form creation is a WYSIWYG style.

Jason

tmccormi wrote on Wednesday, April 29, 2009:

It’s not about WYSYWYG form creation, though that would be really nice and nearly as good I we had back in 1980 with 4GL languages.  

It’s about adding or enabling the Object wrappers that write to the SQL database to throw an exception when the data being handed to it does not meet the definition in the SQL table.  This is simple, normal DB operational activity and should be part of the access layer.
–Tony

cfapress wrote on Thursday, April 30, 2009:

Tony,

Object wrappers and exception throwing-and-catching would be great. I think it would take some serious rewriting to make that possible. You mention the ‘access layer’. From what I’ve seem in the OpenEMR code there really aren’t any distinct layers. I wish there were.

Perhaps we’re heading toward a major rewrite of the code base in 2009?

Jason

bradymiller wrote on Friday, May 01, 2009:

hey,
Aren’t most of the mysql queries run through wrappers found here:
openemr/library/sql.inc

Wouldn’t this be place to throw exceptions and clean up escapes etc.

Was hoping this would be where I could place mysql statements to make fully compatible with UTF-8 at some point.

-brady