2009/3/26 fab2008 <[email protected]>: > > > Simon Corless wrote: >> >> >> >> fab2008 wrote: >>> >>> Hi all, >>> >>> I want to ask a simple question about validating user input especially >>> the input from the url taken with $this->_getParam(). An example: >>> >>> Currently I write my models assuming that the parameters are correct, >>> this mainly because the data are taken using a Zend_Form subclass and the >>> validators make the hard job, but I have a doubt because on the other >>> side the model classes are not safe used alone and they often needs >>> controls on params correctness otherwise they may go into an inconsistent >>> state, or even worse they could have some security vulnerability if used >>> without those checks. >>> >>> What do you suggests? >>> >> >> I believe the consensus around here is the fat model skinny controller >> concept, try searching the news group on Nabble for it, basically your >> model should handle all it's ins and outs from any data and your >> controller does very little other than call various models as required. >> >> You may also want to look in to Zend_Form and it's use as a validator >> which you can then call in your model to validate and filter the data. >> >> In short it's probably 'best' to change to your second method! >> >> Simon >> > > Thanks for the answer, I've also found this article and it clarifies some > aspect of what you saying: > > http://www.survivethedeepend.com/zendframeworkbook/en/1.0/the.model > > One more thing, about the forms, currently I use redirect after post > pattern, so my actions that involve a form are like this code: > > public function someAction() { > $form = $this->view->form = new someForm(); > if ($this->getRequest()->isPost() && $form->isValid($_POST)) { > // stuff with model and form data > ... > // redirect to another page > $this->_helper->redirector(...); > } > }
If your controllers use forms like this your Model depends on the Controller, without the form your Model has no way of validating its input unless you duplicate the validation/input filtering. By moving Zend_Form within your Model you will get rid of this dependency, and then you can unit test your models etc. You should read Matthews blog on this http://weierophinney.net/matthew/archives/200-Using-Zend_Form-in-Your-Models.html Remember that Zend_Form has three aspects, display, validation and filtering, therefore it is reasonable to only use the validation and filtering parts in your Model, they then act like a domain level service to your Models. I find it useful to remember that the MVC dependency rule goes: Interface (View) Application (Controller) Domain (Model, Services etc) Infrastructure (DB,Session, libraries) Dependencies go in a downwards direction, so Application can depend on Domain but Domain should not depend on Application. > > Is this correct respect or should I move form instantiation and creation > into the model? > > I think that the form should be created outside the model because it is MVC > related, not model related. > > Moreover, if I want to use my model in non MVC environment, such as a > cronjobs, or in unit testing, the model would be unusable. > > But if these assertions are correct, should I duplicate (aargh!!!) the input > validation in the model to keep it secure against wrong data? > > This is not very clear to me. > > > > -- > View this message in context: > http://www.nabble.com/Models-and-input-validation-best-practices-tp22691571p22715633.html > Sent from the Zend Framework mailing list archive at Nabble.com. > > -- ---------------------------------------------------------------------- [MuTe] ----------------------------------------------------------------------
