| Question about CRUD models validating column list |
[eluser]CharleyW[/eluser]
I have seen several CRUD models that include code to validate the column names in the query against a list of columns derived by querying the table structure. What is the reason for doing this? Thanks.
[eluser]Developer13[/eluser]
I don't know about anybody else, but I'm not sure I follow. Could you post an example of what you've seen in a CRUD model that does this?
[eluser]Dennis Rasmussen[/eluser]
You have? Could you give us an example of a model which does that? I personally haven't seen any models doing that yet. For D13, I believe he's trying to say that a lot of the models he's stumped upon validate the column names against a pre-written array of column names for each table.
[eluser]CharleyW[/eluser]
Dennis is correct. Here's one - http://www.lukemacneil.com/code/my-codei...crud-model - look at the second method in the class (modRecords).
[eluser]techgnome[/eluser]
In that case, it's an effort to build a complete UPDATE query... it's not actually validating the fields passed... check that... in a way it is... because you can only update fields in that table... so it's ensuring that the fields passed in actually belong to that table. Sort of a safety check - prevents incorrect SQL queries from being made. I'm a little surprised the addRecord method just above doesn't do the same. Usually when I do this sort of validation, it's more to set default values when something is missing. -tg
[eluser]CharleyW[/eluser]
Thank you. I just don't see the sense in the way he's using it. I've also seen CRUD models where an array of allowable column names is a parameter to the method. Neither make any sense to me.
[eluser]techgnome[/eluser]
It makes sense to me.... If my table only has Field1, Filed2, and Field3.... if I accidentally pass FieldXYZ in.... it's going to tank... so as a safety precaution, it checks to ensure that only Field1, field2, Field3 get added to the query. Granted, you shouldn't be passing in data that isn't necessary, but not everyone out there is a developer and some times people play it fast and loose. And if you are young a generic routine, and not a dedicated one... you need all the safety nets you can get. -tg
[eluser]Sweetsugar70[/eluser]
Thanks.. I just don’t see the sense in the way he’s using it. I’ve also seen CRUD models where an array of allowable column names is a parameter to the method. Neither make any sense to me. Greetings... how to deal with depression
[eluser]jmadsen[/eluser]
"prevents incorrect SQL queries from being made" I always found the sql database to do a good job of that. why put so much overhead on all of your statements? then again, I'm not really known as an active record fan :-)
[eluser]techgnome[/eluser]
"I always found the sql database to do a good job of that. " Really? Because I've seen the opposite to be true... especially when it comes to just stringing SQL statements together. If the input is controlled, then it's less of an issue... but when dealing with user input... it can be dangerous. But eh... what ever. To each their own. What ever boats your float. -tg EDIT: I just actually thought about this ... the above response was more geared towards preventing SQL Injection.... my original thought was to prevent updating a field that doesn't exist... YES, the database will prevent that... but at the cost of an error... I prefer the more proactive approach... error prevention. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
