Validation with generated form fields

[eluser]TunaMaxx[/eluser]
I'm having a hard time wrapping my brain around using the form validation class when field names may not be known ahead of time.

For example, I have a form that accepts order details. The user can click and "Add an Item" button and another row of details is added to the form by javascript. The initial form is something like this:

Code:

<form>
<div id="order_01">
  &lt;input type="text" name="name_01" value="" id="name_01"&gt;
  &lt;input type="text" name="size_01" value="" id="size_01"&gt;
  &lt;input type="text" name="color_01" value="" id="color_01"&gt;
</div>
&lt;input type="submit" value="Add an Item"&gt;
&lt;/form&gt;

Clicking the "Add an Item" button generates something like this:

Code:

<form>
<div id="order_01">
  &lt;input type="text" name="name_01" value="" id="name_01"&gt;
  &lt;input type="text" name="size_01" value="" id="size_01"&gt;
  &lt;input type="text" name="color_01" value="" id="color_01"&gt;
</div>
<div id="order_02">
  &lt;input type="text" name="name_02" value="" id="name_02"&gt;
  &lt;input type="text" name="size_02" value="" id="size_02"&gt;
  &lt;input type="text" name="color_02" value="" id="color_02"&gt;
</div>
&lt;input type="submit" value="Add an Item"&gt;
&lt;/form&gt;

I know you can use arrays as field names, but I'm not sure that applies here. Any suggestions?

[eluser]skunkbad[/eluser]
When you click "Add an item", besides making the new row of details, you should set a hidden form field with the count of rows. So if you have two rows, the value is 2. Upon submission, your form validation can be created dynamically.

Code:

for( $x=1; $x <= $this->input->post('row_count'); $x++ )
{
     // set rules
     $this->form_validation->set_rules('name_' . $x, 'Name in row' . $x, 'required');
     // and so on ...
}

[eluser]TunaMaxx[/eluser]
Oh! Such a simple solution! Thank you very much.

[eluser]Aken[/eluser]
I could bypass that method in about five seconds. Not a great solution. Hidden inputs and such are susceptible to user manipulation. The idea is to never trust your users.

I would add the first item normally, since one will always be required I assume. Then, loop your post array, check for a specific name structure, add your validation rules for any dynamically added items, and ignore any that don't match what you're expecting.

Another option is to have each form item as an array. So you wouldn't need to change the names ever, they would all be name[] or size[].

Unfortunately the validation library is kind of limited when it comes to this kind of thing, so you have to get pretty creative.

[eluser]TunaMaxx[/eluser]
In all seriousness, what could be gained from bypassing the hidden input method?

Sure, one could spoof the 'row_count' hidden field value, but as long as I made sure it was an integer what would be gained? The user can add as many fields as they want on the form page anyways, and the validation loop should take care of any empty / malicious data.

On the other hand, after more thought the form item as arrays makes perfect sense now too.

[eluser]Aken[/eluser]
I could set that number to whatever I wanted. If you validated for only an integer, I could set it to zero, and it would add no validation rules in that loop. Then, all of my data would go through unvalidated, which depending on how you have the rest of your code set up, could be malicious.