Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Correct Validation Procedure for Forms and AJAX - Is this the right or the wrong way?
Correct Validation Procedure for Forms and AJAX - Is this the right or the wrong way?
  • El Forum
    Guest
  •  
#1
02-02-2011, 02:16 PM

[eluser]porangi[/eluser]
Hi,

I'm new to CodeIgniter and am just wanting to make sure I get the whole form validation process correct. This is how I see it:

1) User completes form and submits it.

2) Controller validates the form including xss_clean
Code:
function comment_validate() {
        $this->load->library('form_validation');

        //Validate Fields in the order of field name, error message and validation rule.
        $this->form_validation->set_rules('title','title', 'trim|required|min_length[5]|max_length[128]|xss_clean');
        $this->form_validation->set_rules('author','author', 'trim|required|min_length[1]|max_length[25]|xss_clean');
        $this->form_validation->set_rules('body','body', 'trim|required|min_length[5]|xss_clean');

        return $this->form_validation->run();
    }

3) If validation passes calls the model.
Code:
function comment_insert() {
        //Run validation and check response
        if ( $this->comment_validate()== FALSE) { //Fail return to form
            $this->comment_new();
        } else {  //Validation Success - go ahead and insert record
            $this->load->model('blog_model');
            if($query = $this->blog_model->comment_insert()) {  //True redirect to success page.
                redirect('blog_admin/comments');
            }
        }
    }

4) Model constructs the insert array from the INPUT fields and passes it to the Database:
Code:
$new_update_data = array (
            'post_id' => $this->input->post('post_id'),
            'title' => $this->input->post('title'),
            'body' => $this->input->post('body'),
            'author' => $this->input->post('author'),
            'pdate' => $this->input->post('pdate'),
            'published' => $this->input->post('published'),
        );

        $this->db->where('id', $this->input->post('id'));
        $update = $this->db->update('blog_comments',$new_update_data);
        return $update;

My question is should I be calling the inputs again in part 4 or am I bypassing the validation and xss_clean. If this is the case I guess I should pass variables to the function from the previous step.

If I am right I guess I should also be using the escape function in step 4 to be sure my query is escaped correctly.



Another question is related to validating AJAX calls. If I have a JQuery AJAX call like
Code:
//Call Ajax and update image if successfull.
        $.post(
            "/index.php/blog_admin/publish_comment",
            { id: id, published: publish_val },
               function(data){
                if(data=='1') {
                    document.getElementById("publish_input_"+id).value = publish_val;
                    document.getElementById("publish_img_"+id).src = new_image;
                }
               }
        );

Which is recieved by the controller and passes directly to the model is this the right way to process it and should I validate any inputs?

Code:
function publish_comment() {
        $new_publish_data = array (
            'published' => $this->input->post('published'),
        );

        $this->db->where('id', $this->input->post('id'));
        $update = $this->db->update('blog_comments',$new_publish_data);
        return $update;
    }
  • El Forum
    Guest
  •  
#2
02-02-2011, 06:21 PM

[eluser]Victor Michnowicz[/eluser]
When you set validation rules and then run a successful validation, the POST data gets re-saved. So after form validation your POST data will be trimmed and XSS cleaned.

You also don't have to worry about escaping your data before inserting it into the database as long as you are using active records.

I don't really gets what you are asking about your AJAX... But it is always a good idea to validate all user input.
  • El Forum
    Guest
  •  
#3
02-03-2011, 02:08 AM

[eluser]porangi[/eluser]
Cheers, that's what I suspected was happening but I just wanted to confirm. I'm moving over from Joomla/Wordpress development and am loving the freedom codeigniter provides within a very elegant framework.

My AjAx question was simply how do I validate the input. Is it just the same process as for a form.

Thanks for the reply.

Chris




Theme © iAndrew 2016 - Forum software by © MyBB