Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Validating and prepping...
Validating and prepping...
  • El Forum
    Guest
  •  
#1
02-16-2008, 08:45 PM

[eluser]~Chris~[/eluser]
This may sound like a dumb question. Im going over the validation class.

Code:
$rules['username'] = "trim|required|min_length[5]|max_length[12]|xss_clean";
$rules['password'] = "trim|required|matches[passconf]|md5";
$rules['passconf'] = "trim|required";
$rules['email'] = "trim|required|valid_email";

Just like the user guide says it would, when there is an error the password is still re-filled into the form with its new md5 hash, instead of the password the user typed in.

It says to prep the data after its done validating, instead of all together.

So, can someone give me an example of how I would prep it. For example? do i just run the $this->validation->run() function a second time to handle the data prepping?

your help is appreciated.
  • El Forum
    Guest
  •  
#2
02-16-2008, 09:50 PM

[eluser]Chris Newton[/eluser]
I would suggest using the encryption class after the validation has successfully run.

http://ellislab.com/codeigniter/user-gui...ption.html

It's pretty easy to use, and makes for a more difficult encryption to break. You just need to create an encryption key and add it to the config. Then load the library after the validation has passed.

$this->load->library('encrypt');
$this->encrypt->encode($this->input->post('password');
  • El Forum
    Guest
  •  
#3
08-19-2008, 04:12 PM

[eluser]Tim Jukes[/eluser]
Hi - I'm a new forum member and just came across this post. Like Chris, I'm confused by the user guide's suggestion to to prep the data after its done validating, instead of doing it all together. Running the validation function again seems sensible, but not sure how efficient this is. Any bright ideas most welcome!

Thanks
  • El Forum
    Guest
  •  
#4
08-19-2008, 08:09 PM

[eluser]Chris Newton[/eluser]
Sorry, guess i didn't respond to that correctly.

Code:
$rules['username'] = "trim|required|min_length[5]|max_length[12]|xss_clean";
$rules['password'] = "trim|required|matches[passconf]";
$rules['passconf'] = "trim|required";
$rules['email'] = "trim|required|valid_email";

Get rid of the MD5 hash in the rule, so your controller starts to look something more like this:

Code:
$rules['username']    =    'trim|required|min_length[5]|max_length[12]|htmlentities|xss_clean';
        $rules['password']    =     'trim|required|min_length[5]|max_length[30]|htmlentities|matches[passconf]|xss_clean';
        $rules['passconf']        =    'trim|required';        
        $this->validation->set_rules($rules);
        
         $fields['username']    =    'email address';
        $fields['password']    =    'password';
        $fields['passconf']    =    'remember me';  
        $this->validation->set_fields($fields);

        if ($this->validation->run()===FALSE)
        {
            $this->load->view('view_login');
        }
        else
        {  
            $this->load->library('encrypt');
            
            $password= $this->encrypt->encode($this->input->post('password');
            
            $this->load->model('my_model');
            $success= $this->my_model->dowhatever($this->input->post('username'),$password);
            if ($success)
            {
            $data['success_message'] = 'posting to the database worked!';
            $this->load->view('view_login',$data);            
            }
            else
            {
            $data['error_message'] = 'posting to the database failed';
            $this->load->view('view_login',$data);
            }
        }

Basically, don't hash your pass until the validation has successfully run.
  • El Forum
    Guest
  •  
#5
08-20-2008, 02:45 AM

[eluser]Tim Jukes[/eluser]
Thanks Mahuti, great advice for password fields - much appreciated!

But, say for a username, the guide seems to imply that you should do something like

Code:
$rules['username']    =    'required|min_length[5]|max_length[12]';

and then run the validation, passing back the basic info if it fails, and then do the prepping functions sometime later and run the validation again?

Code:
$rules['username']    =    'trim|required|min_length[5]|max_length[12]|htmlentities|xss_clean';

I think I'll just stick with one validation pass as I can live with it if trimmed/cleaned info is sent back into the form - it's probably just the wording of the userguide confusing me!

Cheers
  • El Forum
    Guest
  •  
#6
08-20-2008, 06:37 AM

[eluser]Chris Newton[/eluser]
Yeah, I think it's the wording. I personally consider htmlentities and xss_clean to be validation routines, not prepping. I dont' want anything going in very deep that hasn't had some basic security operations conducted on it.

Prepping:
I think in the case of the password, you'd want it encrypted after. Or, maybe you want to store the user's address as one long string in the database, rather than as address, city, state, zip fields. Joining first and last name, joining 3 telephone fields into one long string. Stripping spaces out of a credit card field. Those things would be good to do after the the content has validated. Those things I consider 'prepping' for their final format in the database.
  • El Forum
    Guest
  •  
#7
08-21-2008, 09:35 AM

[eluser]SneakyDave[/eluser]
I don't know if its considered bad form, but I don't prefill the password field input, I make the user type it in again. Then I encrypt it after validation.
  • El Forum
    Guest
  •  
#8
08-21-2008, 10:56 AM

[eluser]Chris Newton[/eluser]
I can see the security value in that, but as a user, I find that highly annoying. I guess it depends on the sensitivity of the data.

I definitely don't think it's bad form though.




Theme © iAndrew 2016 - Forum software by © MyBB