Secure callback in form validation

[eluser]veledrom[/eluser]
Hi,

I'm trying to find most secure way of using callback function. Please help modify my example below.

Thanks

Code:

$this->form_validation->set_rules('text_url', 'Website link', 'trim|xss_clean|callback_minimum_fields[' . $this->input->post('textarea_content') . ']');

$this->form_validation->run();

CALLBACK

Code:

public function minimum_fields($url, $content)
{
    if ($url == '' && $content == '')
    {
        $this->form_validation->set_message('minimum_fields', 'Please provide info for at least one of these: "Website link" and "Content".');
        return false;
    }

    return true;
}

[eluser]boltsabre[/eluser]
Just make your callback a private function, otherwise people can execute it by calling it in the url!

[eluser]CroNiX[/eluser]
If you make it private using "private", then the form validation class won't be able to access the rule. CI has a built in way to protect methods from being accessed via the url, and that is to prefix the function name with an underscore.

Of course, wherever you use that function (like setting your validation rules) you'd also need to add an underscore before the function name, so there would be 2 like "callback__minimum_fields"

The other (better) option is to just extend the form validation library with your own custom rules (MY_Form_validation). Then you don't need these validation rules in your controller at all and it will keep them all together in a single place.

[eluser]boltsabre[/eluser]
Owned and shamed!