Welcome Guest, Not a member yet? Register   Sign In
form validation set_value forced form_prep bug
#1

[eluser]Unknown[/eluser]
There's a bug in the form helper's set_value function when form_validation is loaded that forces form_prep validation on not only the post data, but the default data too.

Code:
if ( ! function_exists('set_value'))
{
    function set_value($field = '', $default = '')
    {
        if (FALSE === ($OBJ =& _get_validation_object()))
        {
            if ( ! isset($_POST[$field]))
            {
                return $default;
            }

            return form_prep($_POST[$field], $field);
        }

        return form_prep($OBJ->set_value($field, $default), $field);
    }
}

return form_prep($OBJ->set_value($field, $default), $field);

This means if you use prep_for_form as a validation rule, it's performed twice, inserting & whenever it encounters an html special character. Submitting a form again and again adds more amps each time. A simple <p> becomes

Code:
<p>


And even worse, a call like

set_value('myfield', '<p>');

would return the default value of

<p>

which is obviously unexpected behaviour!
#2

[eluser]Unknown[/eluser]
This is also inconsistent with what happens if you don't use form_validation.

If form_validation is loaded both the post value and the default is always form_preped (post value is form_preped twice if there is also a prep_for_form rule). If form_validation is not loaded, the post value is form_preped but the default value is not.

I don't know which was the intended behavior (form_prep both or only post values - I guess the latter) but it certainly will lead to a hard to spot bug if you initially write your controller without form_validation and then later decide to use form_validation. Also imagine the mess if you load form_validation in some controllers only.




Theme © iAndrew 2016 - Forum software by © MyBB