Hi all,
I want to ask a simple question about validating user input especially the
input from the url taken with $this->_getParam(). An example:
Suppose we have a model that needs a date representation passed via url
params, it is better a check for its value in the controller like this:
public function exampleAction() {
if ((!$date = $this->_getParam('date') || !Zend_Date::isDate($date,
'yyyyMMdd'))) {
// redirecting to a standard page
$this->_helper->redirector('/');
// or throwing an exception
throw new Exception('...');
// or something else
return;
}
$model = new My_Model();
$model->methodUsingDate($date);
}
or simply pass the value as is to the model and make the check in the model
itself, with something like this:
public function exampleAction() {
$model = new My_Model();
$model->methodUsingDate($date);
}
public function methodUsingDate($date) {
$date = (string) $date;
if (!Zend_Date::isDate($date, 'yyyyMMdd')) {
// or throwing an exception
throw new Exception('...');
}
// processing date
...
}
Currently I write my models assuming that the parameters are correct, this
mainly because the data are taken using a Zend_Form subclass and the
validators make the hard job, but I have a doubt because on the other side
the model classes are not safe used alone and they often needs controls on
params correctness otherwise they may go into an inconsistent state, or even
worse they could have some security vulnerability if used without those
checks.
What do you suggests?
--
View this message in context:
http://www.nabble.com/Models-and-input-validation-best-practices-tp22691571p22691571.html
Sent from the Zend Framework mailing list archive at Nabble.com.
