Form Validation - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12) +--- Thread: Form Validation (/showthread.php?tid=62607) Pages:
1
2
|
Form Validation - ignitedcms - 08-04-2015 I kinda already know the answer to my question but I'll ask it anyway. I've been using javascript to validate my forms and as a result I've been a bit lazy on server side validation. I thought if I make the field mandatory in the javascript I don't have to check it server side, which is probably a bad idea. But I'll ask the question anyway, should you always be validating form data server side? But my other question was on repopulating the form with old data that was incorrect. How best to do this efficiently? At the moment my form is validated and if it is bad data instead of loading all the views again I just do Quote:redirect("my_controller/my_method", "refresh"); I would like to use the above method as it save having to type out all the view files which the redirect method calls anyway. For example: Code: $this->load->view('header'); But how to I pass the bad data as 'flash data' back into the view? I've never been able to do this correctly. And what happens on first load, would you need to use an isset() in the view? An example would be great. RE: Form Validation - mwhitney - 08-04-2015 First: you should always validate form data on the server side. JavaScript validation is nice, but the user has full control over JavaScript, including being able to disable it completely. At the minimum, you should do enough validation on the server to make sure you don't insert something malicious into your database. You should behave as if the JavaScript validation is at best suspect, and at worst compromised or disabled. I usually submit my form back to the method which originally displayed it, which reduces the need to duplicate code or pass data between methods in my controller just to handle a single form. The view itself just uses set_value() (or the other form_helper set_*() functions, as appropriate) to populate the values, and I usually default the record variable to an empty object if I'm loading an empty form and use isset() to avoid bad property references. Example from view (excuse the mish-mash of bootstrap v2 classes): PHP Code: <?php if (validation_errors()) : ?> I probably went overboard with the following controller example. This assumes a few methods are added to the model, so I tried to add comments to vaguely describe what the model might be doing in those cases (to avoid adding an even more detailed example_model to this post). PHP Code: <?php RE: Form Validation - Diederik - 08-04-2015 I always view server-side validation as a must to prevent my system to be filled with with unwanted, unexpected and/or possible harmfull data. Client side validation is just a tool to make thing prettier and more user friendly for your audiance. You need to look at the form validation class documentation, especialy to the set_value, set_radio etc methodes. They can set the desired value to an input element. If you edit some data set the default value to the stored data and if there's a post variable ci will use that posted value instead of the stored value. RE: Form Validation - ignitedcms - 08-04-2015 OK is there anyway to repopulate the view using redirect install of load->view(). Redirect seems to loose the data, but it makes the code more readable(only one line) It justs seems a ballache to load all the views files, and db queries again to pass into the view that failed. RE: Form Validation - Diederik - 08-04-2015 I dont see how a redirect saves you resources, perhaps i dont quite understand you. After your controller decides a form is not valid you can: A) load the original form view file and populate it with the posted data and show an error why it was not valid B) redirect to another url, another controller has to be loaded and some other view file. I dont see how B would be more efficient. But if you feel that performace is effected by A you could use both server-side and client-side validation. Then you can asume most users input is being validated on the client side and the server side is just a formality wich should pass straigt away for all regular nice userrs which use javascript or html5 validation. I prefer to first make things work nicely with server-side validation and if thats done I implement javascript for better user experience since js can validate alot faster. But the main point is to never trust user input, just like you read in every book about securing a php application. RE: Form Validation - ignitedcms - 08-05-2015 Thanks. The reason why I would like to use redirect is NOT because of resource efficiency. Purely because it makes the code more readable. It would only be one line to maintain. So any examples using redirect would be greatly appreciated. Or would you have to use flash data? RE: Form Validation - Diederik - 08-05-2015 If the posted data a user provides is valid I first insert/update/delete the database. After that I store a success message in a session and redirect to the main page. There the message is being shown (and removed from the session). Flashdata could be used but I feel it is somewhat unreliable as it is cleared during the next load. In some cases the flash data is cleared before it is shown to the user (for example if there is another redirect in place or some error occurred). I created my own messages library which stores these succes and error messages and only removes them when it is presented to the user. My library was inspired by Jens Segers but I recently found another one which does about the same. https://github.com/jenssegers/codeigniter-message-library https://github.com/avenirer/CodeIgniter-Rat RE: Form Validation - Wouter60 - 08-05-2015 Flashdata is not intended for repopulating a form that doesn't meet the form validation rules. A better method is using the form_validation library. Basically, your method (in the controller) can look look like this: PHP Code: public function show_form() PHP Code: echo form_open(); form_open() without any parameters will just submit your form to the controller where it came from. RE: Form Validation - CroNiX - 08-05-2015 If you want to repopulate the form, you shouldn't redirect. PHP's $_POST superglobal vars only exists for one request. If you redirect you lose the contents of $_POST. My controllers usually look something like this: PHP Code: // Was form submitted? RE: Form Validation - mwhitney - 08-05-2015 (08-05-2015, 12:08 AM)iamthwee Wrote: Thanks. The reason why I would like to use redirect is NOT because of resource efficiency. In theory, you could probably do this by setting session data, but not only would you be misusing redirect and wasting resources, the scaffolding you would be rebuilding to support the redirect (instead of using the form_validation library and related helper functions) would be significantly more difficult to maintain and read than the alternative. In other words, a redirect is more readable and maintainable only because you haven't done what would be necessary to make it work properly. It's also a waste of the end user's resources, not just your server's resources, because the redirect forces the browser to make another request. |