Welcome Guest, Not a member yet? Register   Sign In
How do I prevent general users from accessing the callback function for the form_validation class?
#1

[eluser]adityamenon[/eluser]
In my controller, I have:

Code:
controller Some_controller extends CI_Controller {
  function some_page() {
    if($this->input->post()) {
      $this->form_validation->set_rules('some_field', 'Some Field', 'callback_some_field_verifier');
      $this->form_validation->run();
    }
  }

  function some_field_verifier($str) {
    if($str !== 'some sort of verification') {
      return false;
    } else {
      return true;
    }
  }
}

I want to prevent people from visiting mysite.com/some_controller/some_field_verifier/test_var, even if they just come up an empty page. I could add a condition that checks if a variable was supplied, and it's somewhat far-fetched to think someone would think to submit an additional string in the URL, but it's semantically wrong... and might be good hunting for bots looking at site vulnerabilities.

An htaccess redirect comes to mind, but is there an in-framework way to verify that the function is being called only from form_validation class and not by itself? private and protected callback methods don't do the trick because Form validation class cannot call them out of my controller...
#2

[eluser]victorcl[/eluser]
use an underscore in the first character of your name function.
Code:
controller Some_controller extends CI_Controller {
  function some_page() {
    if($this->input->post()) {
      $this->form_validation->set_rules('some_field', 'Some Field', '_callback_some_field_verifier');
      $this->form_validation->run();
    }
  }

  function _some_field_verifier($str) {
    if($str !== 'some sort of verification') {
      return false;
    } else {
      return true;
    }
  }
}
#3

[eluser]adityamenon[/eluser]
That didn't work. The function is simply not being called during validation...
#4

[eluser]victorcl[/eluser]
Sorry it was like this
Code:
$this->form_validation->set_rules('some_field', 'Some Field', 'callback__some_field_verifier');
#5

[eluser]CroNiX[/eluser]
Code:
function _name_of_validation_function($str) // use _ as first character of function name to make private.

Then, your callback rule would be "callback__name_of_validation_function" (2 underscores between callback and function name), since callbacks are normally proceeded by "callback_" + function name.

You can also create a MY_Form_validation library that extends CI_Form_validation and add your own rules there and use them like the rest of the form validation rules without using "callback_". The rules would be defined in that class instead of your controller, so you wouldn't be able to access the functions via the url anyway, AND, be available to the rest of your controllers that you use form_validation in.
#6

[eluser]adityamenon[/eluser]
That worked, thanks CroNiX and VictorCL.




Theme © iAndrew 2016 - Forum software by © MyBB