Best way to run validation helper AFTER trimming input?
4 years ago
4 years ago
#1
I'm working on the 'Build A Task Manager' in the Learning Zone. Code shown in Learning Zone is hackable, meaning I can enter two characters and a space to get Trongate to trim the entry after validation instead of throwing an error, 'The Task Title field must be at least 3 characters in length.' My solution. I'm adding one line of code. Is there a way to do this without adding more code or is this the best way?
4 years ago
#2
My solution doesn't work. So I tried this code and it doesn't work either. Validation helper says, 'The Task Title field is required.' Validation helper code makes it look like I should be able to pass in my new variable $task_title as the $key value. Not sure how to fix this "vulnerability".
4 years ago
#3
Hi cisnez,
I can see the problem you are trying to solve with this valadation check. There has been some work done on sanitising form data in v1.3.3037 of the Framework - what version are you working with?
Your first solution where to you try and run through
prior to the validation check is flawed as you are not changing the posted value '$_POST['task_title']'
Your second solution where you try assigning a variable to the 'key' is flawed too
as when it is passed to set_rules(); the 'key' becomes the value. Example: if '12 ' is passed into the form for 'task_title', this is what is processed in set_rule();
Hense this why you are getting the error 'The Task Title field is required.' as the posted value is now an empty string.
If we look at the following validation check:
and you follow the logic in run_validation_test(), 'required' is run first, then 'run_special_test' is run twice - once for 'min_length[3]' and then max_length[75]
So if we look at the min_length() method in the validation_helper.php file
You can see all testing is done directly on the superglobal $_POST[$key]
So for now, the simple fix to this issue is to run post() filtering on $_POST['task_title'] until a more elegant method is done directly in validation_helper.php
I can see the problem you are trying to solve with this valadation check. There has been some work done on sanitising form data in v1.3.3037 of the Framework - what version are you working with?
Your first solution where to you try and run through
prior to the validation check is flawed as you are not changing the posted value '$_POST['task_title']'
Your second solution where you try assigning a variable to the 'key' is flawed too
as when it is passed to set_rules(); the 'key' becomes the value. Example: if '12 ' is passed into the form for 'task_title', this is what is processed in set_rule();
Hense this why you are getting the error 'The Task Title field is required.' as the posted value is now an empty string.
If we look at the following validation check:
and you follow the logic in run_validation_test(), 'required' is run first, then 'run_special_test' is run twice - once for 'min_length[3]' and then max_length[75]
So if we look at the min_length() method in the validation_helper.php file
You can see all testing is done directly on the superglobal $_POST[$key]
So for now, the simple fix to this issue is to run post() filtering on $_POST['task_title'] until a more elegant method is done directly in validation_helper.php
4 years ago
#4
Okay. I've had a chance to look at this. You were 100% correct and you've made a great call. Thank you!
I have now updated the framework so that all $_POST vars are auto-trimmed before validation happens. This makes the 'space hack' impossible.
Hopefully that'll do the trick.
Cisnez, I'm eager to give you credit for that. If you'd like to join the contributor's list on GitHub then please let me know and we'll find a way to get you on. I really think that's important and I'd be very glad to have you on.
Dafa, as always, your instinct was right about this. Thanks to you too.
We're good. Cheers!
I have now updated the framework so that all $_POST vars are auto-trimmed before validation happens. This makes the 'space hack' impossible.
Hopefully that'll do the trick.
Cisnez, I'm eager to give you credit for that. If you'd like to join the contributor's list on GitHub then please let me know and we'll find a way to get you on. I really think that's important and I'd be very glad to have you on.
Dafa, as always, your instinct was right about this. Thanks to you too.
We're good. Cheers!