Welcome Guest, Not a member yet? Register   Sign In
MY_Form_Validation w/ spam and CSRF protection
#11

[eluser]mighty_falcon[/eluser]
It is just out of the box, and it is not set at all, even the first time the controller is loaded. When I am viewing the source of the form in the browser the value of the hidden field is empty, and it of course sends a validation error (this field is required...).

Could you post a sample code on how you are using the nonce function in the controller?

The way i have it setup in my controller is basically this:

Code:
$this->form_validation->nonce();

if ($this->form_validation->run('user_details') == TRUE) { // validation has been passed
...
#12

[eluser]erik.brannstrom[/eluser]
All you have to do in your controller is what you've already done, namely calling nonce().

One thing that occurs to me is that you are using a config file to set the rules, which I haven't done myself. As far as I know, you can only set validation rules using config if you haven't already used the set_rules method (which is done in the nonce method). Seems a bit weird, but perhaps if you just try to move your validation rules to the controller?

And just to be sure, you are using the new form_open function to create your form, right?
#13

[eluser]mighty_falcon[/eluser]
Yes, I extended the form helper and using the new form_open function.

I also removed all the other validation rules just to test it out and I am still getting an empty value for the nonce field

Code:
<input type="hidden" name="nonce" value="" />

which ends up producing the "The Nonce field is required" validation error when I submit it.
#14

[eluser]erik.brannstrom[/eluser]
Is the create_nonce method called at all? If not, is the has_nonce property set as true? I can't really do much on my end, so start adding echo statements to see where things go wrong.
#15

[eluser]Phil Sturgeon[/eluser]
Not a shameless plug at all, this is some great work and we've put it into PyroCMS v0.9.9.5 to automatically protect all POST forms where form_open() and Form_validation are used - which is basically all forms.
#16

[eluser]erik.brannstrom[/eluser]
Thanks Phil, good to hear! I'll post-license this as DBAD, so if you make a ton of money out of PyroCMS you know what you'll owe me!

Anyways, the next step is to allow for multiple forms to be used at the same time without interfering with each other. I'll give a shout out when (or rather if) it gets done.




Theme © iAndrew 2016 - Forum software by © MyBB