+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: How do I prevent general users from accessing the callback function for the form_validation class? (/showthread.php?tid=52135)
How do I prevent general users from accessing the callback function for the form_validation class? - El Forum - 05-30-2012
[eluser]adityamenon[/eluser]
In my controller, I have:
Code:
controller Some_controller extends CI_Controller {
function some_page() {
if($this->input->post()) {
$this->form_validation->set_rules('some_field', 'Some Field', 'callback_some_field_verifier');
$this->form_validation->run();
}
}
function some_field_verifier($str) {
if($str !== 'some sort of verification') {
return false;
} else {
return true;
}
}
}I want to prevent people from visiting mysite.com/some_controller/some_field_verifier/test_var, even if they just come up an empty page. I could add a condition that checks if a variable was supplied, and it's somewhat far-fetched to think someone would think to submit an additional string in the URL, but it's semantically wrong... and might be good hunting for bots looking at site vulnerabilities.
An htaccess redirect comes to mind, but is there an in-framework way to verify that the function is being called only from form_validation class and not by itself? private and protected callback methods don't do the trick because Form validation class cannot call them out of my controller...
How do I prevent general users from accessing the callback function for the form_validation class? - El Forum - 05-30-2012
[eluser]victorcl[/eluser]
use an underscore in the first character of your name function.
Code:
controller Some_controller extends CI_Controller {
function some_page() {
if($this->input->post()) {
$this->form_validation->set_rules('some_field', 'Some Field', '_callback_some_field_verifier');
$this->form_validation->run();
}
}
function _some_field_verifier($str) {
if($str !== 'some sort of verification') {
return false;
} else {
return true;
}
}
}How do I prevent general users from accessing the callback function for the form_validation class? - El Forum - 05-30-2012
[eluser]adityamenon[/eluser]
That didn't work. The function is simply not being called during validation...
How do I prevent general users from accessing the callback function for the form_validation class? - El Forum - 05-30-2012
[eluser]victorcl[/eluser]
Sorry it was like this
Code:
$this->form_validation->set_rules('some_field', 'Some Field', 'callback__some_field_verifier');How do I prevent general users from accessing the callback function for the form_validation class? - El Forum - 05-30-2012
[eluser]CroNiX[/eluser]
Code:
function _name_of_validation_function($str) // use _ as first character of function name to make private.Then, your callback rule would be "callback__name_of_validation_function" (2 underscores between callback and function name), since callbacks are normally proceeded by "callback_" + function name.
You can also create a MY_Form_validation library that extends CI_Form_validation and add your own rules there and use them like the rest of the form validation rules without using "callback_". The rules would be defined in that class instead of your controller, so you wouldn't be able to access the functions via the url anyway, AND, be available to the rest of your controllers that you use form_validation in.
How do I prevent general users from accessing the callback function for the form_validation class? - El Forum - 05-30-2012
[eluser]adityamenon[/eluser]
That worked, thanks CroNiX and VictorCL.