| Form validation, why only the $_POST array? |
[eluser]sabya[/eluser]
The CI_Form_validation class should work on any associative array passed to it. Becuase: - 1. I may use $_GET 2. I can construct an array programmatically, which I want to go through the same validator functions. So, it will be very helpful to optionally pass an array in the 'run' function. Although this can be achieved by putting the desired array in the $_POST, but will be a bad hack!
[eluser]Evil Wizard[/eluser]
$_GET is an insecure way of submitting form data, if you don't require the security of the post method, why the need for validating? The library is called "form_validation" not array validation, but I do agree that the ability to validate associate arrays to same rules would be advantageous and the form validation could then extend from that to support the post array.
[eluser]sabya[/eluser]
@Evil Wizard, First of all: "validation" is not same as "security". Primarily it is about informing the user, that he has given invalid inputs.
[eluser]Evil Wizard[/eluser]
I acknowledge that there is a difference between security and validity, I was just stating that the two methods to submit a HTML form is via "get" and "post", get is an insecure way, allowing the URL string to be altered after you have validated the input, circumventing your validation efforts. I also recently needed to validate an array that was not post/get and I couldn't be certain it would be my code that created the array and so had to write my own custom array validation method. Had there been a generic validation method available it would have made it easier. I didn't mean to sound obnoxious, I merely asked why the need to validate the $_GET array
[eluser]xwero[/eluser]
Evil wizard $_GET is on the same level of input as $_POST and $_FILES. $_GET should be secured as well or even better than $_POST. Post_validation is a better name for the class because form_validation is too broad as it implies that it checks all input. Validation classes in other frameworks let you specify which global(s) you want to validate so i don't think it's a stupid request.
[eluser]Evil Wizard[/eluser]
Ok, I missed the $_FILES option as that is still technically a POSTED form method and the form type is multipart-formdata, however the $_GET is the URL, that is the bit in the address bar that anyone can change at anytime, the POST data is passed over in the page request so it is therefore not able to be altered easily and is also encrypted to a certain extent by the browser, but globals are an obsolete way of accessing variables and data, in the era of encapsulated modules and OOP. Registered globals was deprecated in php as of version 5.3.0 and will be removed in version 6 I never said it was a stupid request, I only asked about the $_GET, I agreed that a generic array validation would be a welcomed and much utilised library, and possibly the limited form_validation library could extend it. There are no stupid questions
[eluser]xwero[/eluser]
$_POST, $_FILES and $_GET are the globals i'm talking about. Posting a form doesn't mean the $_GET values are obsolete, they are a part of the form. If the $_GET values get stored you need to validate them.
[eluser]Shrike67[/eluser]
Can I use the form_validation class for validating not-post variables? For example if I have a $test variable and I need to check trim|required|min_length[5]|max_length[12]|xss_clean, how can I do that? I need to do a $_POST['test'] = $test; ? :-S and then I use the form_validation class?
[eluser]deadelvis[/eluser]
Look here: http://ellislab.com/forums/viewthread/153602/#884659 Might be a start? |
| Welcome Guest, Not a member yet? Register Sign In |
