$this->validator->getValidated() looks stupid and unnecessary |
I'm sorry but i'm not trying to insult anyone here...
But I truly dont understand the point of this method. I find it very unnecessary addition to the framework. If the $this->validate() method working fine then why we need this new method? if $this->validate() returns true then we can be sure about the submitted data. If the $this->validate() got any security issues, then that method is the one we have to fix, instead introduce new methods. And other issue of this getValidated() method is, its only returns validated data. What if the form has fields that we dont want to be validated? Now we have to perform some extra work to get both validate and optional fields data. this is a dirty work. -------------- Can you someone explain why this method really is necessary? I may not smart enough to understand. thanks ![]() fgh$this->validate()his->validate$this->validate()
From the docs:
Quote:The actual validated data can be retrieved with the getValidated() method. This method returns an array of only those elements that have been validated by the validation rules. Quote:if $this->validate() returns true then we can be sure about the submitted data. No, this is not true. You can only be sure of the data that was VALIDATED and not all the submitted data. An attacker, for example can send some other data to your form, and it will be included in the request, and since it is not being validated (no rules set), the submitted data may contain more than what you envisaged. So, to be sure that you are only retrieving or using the exact data that you expect, getValidated() does the trick. Before now, you may be doing something like so: PHP Code: if ($this->validate($rules) { PS: You could have made your point or request without using derogatory words. (10-09-2023, 07:51 AM)sammyskills Wrote: From the docs: I'm sorry but you reply doesn't make any sense to me. Of course, fields were not set in the validation rule set should not be trusted. It's a no brainer thing. And we do it intentionally sometimes, because there are some situations that we dont want some fields to be validated. And we know the fact that only the fields are in the validation rule set can be trusted. I think it's kinda unnecessary thing to use two different variables to access both valid data and unsure data like:, $validData = $this->validator->getValidated(); $validAndInvalidData = $this->request->getPost(); Instead the programmer can use only the $validAndInvalidData = $this->request->getPost(); and he/she should know what fields should be trust and what should not. Still If i'm missing somthing here. please correct me. I know I could be wrong. Thanks for the reply.
(10-09-2023, 08:54 AM)sammyskills Wrote: https://codeigniter4.github.io/CodeIgnit...s-validate Yeah thats what i'm saying. Instead of introducing new methods, the right thing is fixing the root of the issue. which is: $this->validate() method. There should not be any known security issues in the first place of $this->validate() method. Thanks.
(10-09-2023, 04:48 AM)MrWhite Wrote: If the $this->validate() method working fine then why we need this new method? if $this->validate() returns true then we can be sure about the submitted data. Because $this->validate() is broken. Even if $this->validate() returns true then we cannot be sure about the submitted data. The true issue is what data $this->validate() validates. If you create a normal form, you expect the data is POST data. But it is not sure $this->validate() validates it. (10-09-2023, 04:48 AM)MrWhite Wrote: If the $this->validate() got any security issues, then that method is the one we have to fix, instead introduce new methods. Yes, you are correct. But it seems impossible to me. If you can, feel free to send a Pull Request for it.
A simple solution is to use $this->validateData() instead of $this->validate().
https://codeigniter4.github.io/CodeIgnit...lidatedata
@MrWhite Does the following note in the User Guide answer your question?
Quote:Warning |
Welcome Guest, Not a member yet? Register Sign In |