Filtering input - controller or model?

Filtering input - controller or model? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Filtering input - controller or model? (/showthread.php?tid=36517)

Filtering input - controller or model? - El Forum - 12-04-2010

[eluser]SpaceCoder[/eluser]
I have such model and controller for AJAX comment posting
model:

Code:
class Items_model extends Model {

function add_comment($item_id, $user_id, $text, $type)

    {

        $data = array(

            'item_id' => $item_id,

            'user_id' => $user_id,

            'text' => $text,

            'type' => $type,

            'created_at' => mktime()

        );

        $this->db->insert('comments', $data); 

        return $this->db->insert_id();

    }

controller:

Code:
class Items extends Controller {

function add_comment() 

    {

        $this->load->helper('date');

        $item_id = $this->input->post('item_id', TRUE);

        $text = $this->input->post('comment_text', TRUE);

        $type = $this->input->post('type', TRUE);

        $user_id = $this->session->userdata('user_id'); // user id, must be logged in

        $this->Items_model->add_comment($item_id, $user_id, $text, $type);

        $response = array(

            'message' => 'Thank you!'

        );

        echo json_encode($response);

    }

In controller or in model should I control that $item_id and $text are not null, $user_id is set and user has logged in?
And how?

Best, Kirill.

Filtering input - controller or model? - El Forum - 12-04-2010

[eluser]SpaceCoder[/eluser]
Please, help...

Filtering input - controller or model? - El Forum - 12-06-2010

[eluser]Zehee[/eluser]
Use the Form_validation class in controller is a fine choice.

Meanwhile, do a simple check in model is necessary, my personal view.

Filtering input - controller or model? - El Forum - 12-06-2010

[eluser]SpaceCoder[/eluser]
[quote author="Zehee" date="1291654683"]Use the Form_validation class in controller is a fine choice.

Meanwhile, do a simple check in model is necessary, my personal view.[/quote]

How check the $this->session->userdate('logged_id') flag with Form_validator?

Filtering input - controller or model? - El Forum - 12-06-2010

[eluser]techgnome[/eluser]
Well for the item Id and the text, validate using the form_validation. It's in the User Guide.

For the user being logged in, wouldn't it be better to first check for that before allowing them to comment? That way your add comment process only runs for logged in users.

-tg

Filtering input - controller or model? - El Forum - 12-06-2010

[eluser]SpaceCoder[/eluser]
[quote author="techgnome" date="1291668200"]Well for the item Id and the text, validate using the form_validation. It's in the User Guide.

For the user being logged in, wouldn't it be better to first check for that before allowing them to comment? That way your add comment process only runs for logged in users.

-tg[/quote]
Ok, but where would it better to check logged in? In _remap function? In core extension?

Filtering input - controller or model? - El Forum - 12-06-2010

[eluser]TaylorOtwell[/eluser]
[quote author="SpaceCoder" date="1291668336"][quote author="techgnome" date="1291668200"]Well for the item Id and the text, validate using the form_validation. It's in the User Guide.

For the user being logged in, wouldn't it be better to first check for that before allowing them to comment? That way your add comment process only runs for logged in users.

-tg[/quote]
Ok, but where would it better to check logged in? In _remap function? In core extension?[/quote]

I used to do that in a core extension (usually MY_Controller). In MY_Controller I would put a function "redirect_if_not_logged_in()" and call that from all my controller functions that needed that protection.

Eventually I got tired of putting that line of code in the controller functions. So, I hacked the core to allow for "annotations". Now I just do this:

Code:
/** [MembersOnly] */

public function comment()

{

    //

}

Filtering input - controller or model? - El Forum - 12-07-2010

[eluser]Zehee[/eluser]
[quote author="SpaceCoder" date="1291661392"][quote author="Zehee" date="1291654683"]Use the Form_validation class in controller is a fine choice.

Meanwhile, do a simple check in model is necessary, my personal view.[/quote]

How check the $this->session->userdate('logged_id') flag with Form_validator?[/quote]

I put this function

Code:
function isLogin()

{

    $CI =& get_instance();

    $session_key = $CI->session->userdata('session_key');

    return (!empty($session_key));

}

in my current_helper.php ( I added this helper file).

And in MY_Controller.php add this method:

Code:
protected function _checkLogin($redirect = 'login')

    {

        if (!isLogin())

        {

            redirect($redirect);

        }

        else

        {

            return true;

        }

    }

Then in Controllers:

Code:
class Comment extends MY_Controller {

    function __construct()

    {

        parent::__construct();

    }

    function add()

    {

        $this->_checkLogin();

        ...

    }

    ...

}

By this way, when you want to check login somewhere in your website, just call the methd '$this->_checkLogin()' in your controller. Sometimes, your can put this in __construct() when you need.

The data in session always use the similar way.

The data post/get form view use Form_validation class