Welcome Guest, Not a member yet? Register   Sign In
$this->validator->getValidated() looks stupid and unnecessary
#11

(This post was last modified: 10-09-2023, 08:07 PM by MrWhite.)

(10-09-2023, 09:21 AM)sammyskills Wrote: Feel free to send a PR!

I wish I could! but I dont thing I have a good hang of the framework inside out.

(10-09-2023, 01:52 PM)kenjis Wrote:
(10-09-2023, 04:48 AM)MrWhite Wrote: If the $this->validate() method working fine then why we need this new method? if $this->validate() returns true then we can be sure about the submitted data.

Because $this->validate() is broken. Even if $this->validate() returns true then we cannot be sure about the submitted data.
The true issue is what data $this->validate() validates.

If you create a normal form, you expect the data is POST data. But it is not sure $this->validate() validates it.

(10-09-2023, 04:48 AM)MrWhite Wrote: If the $this->validate() got any security issues, then that method is the one we have to fix, instead introduce new methods.

Yes, you are correct. But it seems impossible to me. If you can, feel free to send a Pull Request for it.
I wish I could man. But if youi were not being able to fix that method, I sure I wont be able too. You are much more capable than me Smile

(10-09-2023, 01:56 PM)kenjis Wrote:
(10-09-2023, 08:35 AM)MrWhite Wrote: And we do it intentionally sometimes, because there are some situations that we dont want some fields to be validated.

In my understanding, all data always should be validated. No exception.
Why don't you want some fields to be validated?

As a example, lets say we have a optional checkbox. we dont care about it's value or whether its submitted or not. We only care about if that checkbox in the submitted data array or not. for that kind of situations I dont feels like add validation.

(10-09-2023, 02:01 PM)kenjis Wrote: A simple solution is to use $this->validateData() instead of $this->validate().
https://codeigniter4.github.io/CodeIgnit...lidatedata

Thanks I will use validateData() method instead validate() method.
This reply was very helpfull.

(10-09-2023, 02:04 PM)kenjis Wrote: @MrWhite Does the following note in the User Guide answer your question?

Quote:Warning

When you use the validate() method, you should use the getValidated() method to get the validated data. Because the validate() method uses the Validation::withRequest() method internally, and it validates data from $request->getJSON() or $request->getRawInput() or $request->getVar(), and an attacker could change what data is validated.

https://codeigniter4.github.io/CodeIgnit...s-validate

It could be better if this description highlight the validateData() method.

Thanks for the all hardwork @kenjis appreciate that.
Reply
#12

(10-09-2023, 01:56 PM)kenjis Wrote:
(10-09-2023, 08:35 AM)MrWhite Wrote: And we do it intentionally sometimes, because there are some situations that we dont want some fields to be validated.

In my understanding, all data always should be validated. No exception.
Why don't you want some fields to be validated?

There could be many examples. One that comes to mind, is an address field. Validating address fields is only asking for trouble...
Reply
#13

(10-11-2023, 03:00 PM)Inc33 Wrote: There could be many examples. One that comes to mind, is an address field. Validating address fields is only asking for trouble...

No, it has max length. At least it should be checked.

If the address is longer than your column length, you cannot save it to the database.
If it is too long, e.g., more than 1,000 characters, it must be invalid.

If it has invisible characters, it also is probably invalid.
If you expect English alphabets and 1-9 numbers, Chinese characters are invalid.
Reply
#14

(10-11-2023, 03:54 PM)kenjis Wrote:
(10-11-2023, 03:00 PM)Inc33 Wrote: There could be many examples. One that comes to mind, is an address field. Validating address fields is only asking for trouble...

No, it has max length. At least it should be checked.

If the address is longer than your column length, you cannot save it to the database.
If it is too long, e.g., more than 1,000 characters, it must be invalid.

If it has invisible characters, it also is probably invalid.
If you expect English alphabets and 1-9 numbers, Chinese characters are invalid.

Hey @kenjis What do you think about my example ? the checkbox example? 
Of cause we can add in_list type or some other validation rule but then we have to add hidden input field for that checkbox.
Reply
#15

@MrWhite

Yes, in_list should be used. An attacker can send any value to the checklist filed.

> but then we have to add hidden input field for that checkbox.

Why, I don't know.
Reply
#16

(10-15-2023, 03:19 PM)kenjis Wrote: @MrWhite

Yes, in_list should be used. An attacker can send any value to the checklist filed.

> but then we have to add hidden input field for that checkbox.

Why, I don't know.

The problem is when use in_list type validation rules for optional checkboxes, the validator always expect a value to be submitted. if the form submitted with the checkbox unchecked then the validation will fail. I think it should not happen. non submitted inputs should be ignored. to mitigate this issue, we have to use input hidden for all the optional inputs. I think it's a dirty way of handling things.

Here is one of my ci4 apps example.

validation rule
[Image: jmhRldZ.jpg]

the view
[Image: 19qMvsm.jpg]

The validation will pass if i submit the form with checkbox checked. if not validation will fail.
I have double checked that, there is no hidden input field for the checkbox.

Don't you think this is a issue?

If im mistaken, please help me. thanks for your time Smile
Reply
#17

If it is optional (checkbox seems to be optional in most cases), add the permit_empty rule.

PHP Code:
'permit_empty|in_list[1]' 

If it won't work, it is a bug.
Reply
#18

(10-15-2023, 10:35 PM)kenjis Wrote: If it is optional (checkbox seems to be optional in most cases), add the permit_empty rule.

PHP Code:
'permit_empty|in_list[1]' 

If it won't work, it is a bug.

permit_empty did the trick. thanks man. appreciate that. (y)
Reply




Theme © iAndrew 2016 - Forum software by © MyBB