Create account



CodeIgniter.com Twitter      


  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Array passes form validation for string element with the same name -- how to fix?

Offline Stanzi1791
Newbie
*
Posts: 2
Threads: 1
Joined: Sep 2018
Reputation: 0
#1
09-25-2018, 01:55 PM
I've set up form validation for (amongst other fields) a text input box with the name "cms", this is in my application\config\form_validation.php file:

    // ...

        array(
            'field' =>  'cms',
            'label' =>  'CMS',
            'rules' =>  'is_natural_no_zero' 
        ),

    // ...

If I use a regular <input name="cms" value="value"> this works fine.

Yet, if I tweak the html for the form, and send a "cms" array to the controller instead of a string value, like this 

<input name="cms[]" value="some"><input name="cms[]" value="other">

this array passes the validation rule! Which is not what I want, nor what I expected.

I would expect (and want) the form validation to fail if an array instead of a string value was submitted.
Is there a way to enforce this in CodeIgniter (using validation rules)?
Find
Reply

Offline dave friend
Posting Freak
*****
Posts: 1,020
Threads: 15
Joined: Jun 2015
Reputation: 50
#2
09-25-2018, 09:04 PM
If the field name is an array - i.e. cms[] - then you must use the exact same for your Validation Rule field name. e.g.

PHP Code:
$this->form_validation->set_rules('cms[]''CMS''is_natural_no_zero'); 

See Using Arrays as Field Names
Find
Reply

Offline Stanzi1791
Newbie
*
Posts: 2
Threads: 1
Joined: Sep 2018
Reputation: 0
#3
09-26-2018, 02:47 AM (This post was last modified: 09-26-2018, 08:07 AM by Stanzi1791.)
(09-25-2018, 09:04 PM)dave friend Wrote: If the field name is an array - i.e. cms[] - then you must use the exact same for your Validation Rule field name. e.g.

PHP Code:
$this->form_validation->set_rules('cms[]''CMS''is_natural_no_zero'); 

See Using Arrays as Field Names

Thank you for your reply. I understand that if I want to use an array, I have to alter the validation rules.

But that is not what my question is about: I was trying to simulate the case where someone sends a forged post request to my controller, in which case it shouldn't validate.

After some further research I really do think there's a bug in CodeIgniter's the form validation code.

I fixed it by creating a file at application\libraries\MY_Form_validation.php, copying the _execute function, and replacing this

// If we get an array field, but it's not expected - then it is most likely
// somebody messing with the form on the client side, so we'll just consider
// it an empty field
$postdata = is_array($this->_field_data[$row['field']]['postdata'])
? NULL
: $this->_field_data[$row['field']]['postdata'];

with this

// If we get an array field, but it's not expected - then it is most likely
// somebody messing with the form on the client side, so we'll just consider
// it an empty field
$postdata = is_array($this->_field_data[$row['field']]['postdata'])
? ""
: $this->_field_data[$row['field']]['postdata'];
$this->_field_data[$row['field']]['postdata'] = $postdata;


(Using NULL won't work here, because NULL values are not re-assigned to the $_POST array by the _reset_post_array function.)
Find
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.