Can Form_Validation check GET data?

[eluser]helloworld7[/eluser]
Hi. I'm passing data on the query string. http://domain.com/delete_photo?id=12345

And I'm doing this on my controller - delete_photo function.

$this->load->library('form_validation');
$this->form_validation->set_rules('id', 'id', 'required');
if ($this->form_validation->run() == FALSE) {
print "problem";
} else {
print "GOOD";
}

It always display "problem" with the following and nothing else.

I also print out error_string() or error('id') and there's nothing.

I've $config['enable_query_strings'] = TRUE; but it still failed.

Is form validation library can only be use on POST data? How can I validate GET data? It will be helpful to use it to test GET data as I don't want to create my own.

Thanks.

[eluser]Narkboy[/eluser]
Ok - I really can't tell you if validation requires POST - I hope so!

But - do you really want users to be able to delete any photo they want? Or even all photos? That's what you're doing - by providing the user with the information they need to delete any photo_id. 30 seconds with Notepad and I can produce a script that will load http://domain.com/delete_photo?id=1 all the way to delete_photo?id=999999999 and they yay! you've got no photos.

Even if you're not looking to let the public near this, it's a really bad idea. Use good design principles and send it via POST, improving security, and neatly side-stepping your GET issue with validation.

/B

[eluser]danmontgomery[/eluser]
[quote author="Narkboy" date="1308154919"]Ok - I really can't tell you if validation requires POST - I hope so!

But - do you really want users to be able to delete any photo they want? Or even all photos? That's what you're doing - by providing the user with the information they need to delete any photo_id. 30 seconds with Notepad and I can produce a script that will load http://domain.com/delete_photo?id=1 all the way to delete_photo?id=999999999 and they yay! you've got no photos.

Even if you're not looking to let the public near this, it's a really bad idea. Use good design principles and send it via POST, improving security, and neatly side-stepping your GET issue with validation.

/B[/quote]

To be fair, without any kind of authentication before deleting items, 30 seconds with notepad and you could delete all of the images whether he were using get or post

[eluser]Narkboy[/eluser]
[quote author="noctrum" date="1308155007"]To be fair, without any kind of authentication before deleting items, 30 seconds with notepad and you could delete all of the images whether he were using get or post[/quote]

Yes, sadly very true. I wasn't trying to give him the bulletproof solution - but please don't tell me you think using GET for something like this is a good idea? It's about the approach to design..

[eluser]danmontgomery[/eluser]
[quote author="Narkboy" date="1308155490"][quote author="noctrum" date="1308155007"]To be fair, without any kind of authentication before deleting items, 30 seconds with notepad and you could delete all of the images whether he were using get or post[/quote]

Yes, sadly very true. I wasn't trying to give him the bulletproof solution - but please don't tell me you think using GET for something like this is a good idea? It's about the approach to design..[/quote]

I think in almost all cases it's not ideal to expose PKs, but my point in that post was simply that regardless of the method, you should be checking to be sure the user has permission to be doing what they're trying to do.

As to the original question, form_validation explicitly checks $_POST in several places, so without extension it won't validate $_GET data... ie:

Code:

public function run($group = '')
    {
        // Do we even have any data to process? Mm?
        if (count($_POST) == 0)
        {
            return FALSE;
        }

[eluser]toopay[/eluser]
@noctrum and narkboy
Who knows, he might have had a hexadecimal-based ACL that checks md5 of user's email, and equipped with diggest HTTP authorization, at his "back-end" layer...

[eluser]helloworld7[/eluser]
Hi. Thanks for the response. But why every forum there will be people not answer your question and judge what u're doing.

First at some point it's a link instead of a form and you need to pass data on query string. Second my script "delete" script will check the user's session and their member id from session. And I will delete only with query string "delete from photos where id=? and member_id=? The photo has to belong to a specifc member and the member is from the session. And user has to login before using that script. Maybe I should not show any code and ask can u do GET data? I'm just showing the code on how to do it and see if u see anything wrong(code not logic). Maybe that's a bad example. Why do people can't just answer what they are asking?

I'm more interested to know if I could do get validation using form_validation but it seems not. Are there any library that can validate GET data?

Do I really need to explain my whole system before asking what I want man?

Also if someone wants to heck your script they can read your form(source code) and save your page as their own html. Then they can also put whatever id they want on the script too. So it's not like u can prevent with post. It's just more readable as url. Any programmer should know that.

Yea. They can even create their own form with text input so they can type on the form too which post to the script. Is that really secure? Oh yea. So secure. Oh but maybe u can argue if u can do some tricks to not allow view source code from their browser.

U know what I mean. We can go on and on. Why not just answer people what they asked man. I just think find it lame sometime when asking help in forum.

I just never get answer in here!!!

[eluser]marcogmonteiro[/eluser]
I think you can't validate data though form validation on $_GET values. I think form validation is only for $_POST data.

btw is a few days ago i noticed something strange.

I was validating a file was selected on form to make the upload, and i was using form validation to do this. But when I make it a required value it always does the same thing and returns false. The form validation can't be used for $_FILES data?


sorry helloworld7 for posting this on your post but i just remember this while I was replying to you.

[eluser]Narkboy[/eluser]
[quote author="helloworld7" date="1308179343"]Hi. Thanks for the response. But why every forum there will be people not answer your question and judge what u're doing.[/quote]

Sorry about that. Just trying to help

The reason I suggested that you use POST is because form_validation works with POST, not GET. Why? Simply because sending anything from a form as GET is a poor idea. If you're running it from a link ,then you don't want form validation - the data is not coming from a form.

If you need code to validate incoming GET data, for whatever reason, then simply code a helper file (or model if it's not needed everywhere) with the required validation. If you're not sure how form_validation does it's thing, then check out Form_validation.php in system/libraries. It has discrete functions for each rule - copy / paste then modify as required.

What are you trying to validate? That the image id is numeric? Use:

Code:

/**
     * Numeric
     *
     * @access    public
     * @param    string
     * @return    bool
     */
    function numeric($str)
    {
        return (bool)preg_match( '/^[\-+]?[0-9]*\.?[0-9]+$/', $str);

    }

Gives TRUE if $str contains only 0-9, '.', '+', or '-'. FALSE otherwise.

Copied from Form_validation - it uses preg_match because the form (and your GET data) is always a string, rather than an int.

If you need to check the image id is valid, then you'll want a function that lookups the database (or searches the files) to find it. Form validation dosen't do that in any case.

To elaborate on the 'not getting an answer' thing, it comes down to this: there is no 'best' way of doing things, but there are 'better' and 'worse' ways. It's better to send form data via POST, so form_validation works on POST. To validate GET, create your own functions.

As to extending form_validation to work with GET - you can do it pretty simply. Create MY_form_validation.php then you need to create modified versions of 'set_rules' and 'run'. Possibly others, but I'm not sure. Any function that has '$_POST' in it needs replacing with a custom version.

Personally, if I needed a lot of 'validation' type functions, I'd create a seperate library, based on Form_validation.php, but written specifically for GET data. Call it Get_validation perhaps.

Why? Simply because then you avoid a situation where one type of data can be overwriteen by the other. It also allows you to setup the validation exaclty as you need without worrying that you may break / render unsecure the original functionality.

Hope that actually answers the question.

/B

[eluser]fasfad[/eluser]

Simply because sending anything from a form as GET is a poor idea

Very wrong.

Simply because there are cons using GET, doesn't make it a no-go for every user.

For example:

Using a search form with GET is actually VERY desirable.

You are getting data, so use GET. POST will create issues with refreshing and going back.
You can save search URI's and in some countries like mine there are some adaptations to the W.C.A.G. triple A rules which REQUIRE search-forms to use GET.

And furthermore don't obsess over the beauty of your URIs, they are a tool not a piece of art.

(You think Google search uses POST?)

I'm having the same problem right now, and I'll have to make my own validation for the GET data.