Loading ...
Sorry, an error occurred while loading the content.

Help: DiscardInvalidValues

Expand Messages
  • Shekar C. Reddy
    Manuel, I m not clear with the usage of DiscardInvalidValues. Do we need to add one DiscardInvalidValues input for each input we need to validate against
    Message 1 of 2 , Apr 1, 2006
    • 0 Attachment
      Manuel,

      I'm not clear with the usage of DiscardInvalidValues. Do we need to
      add one DiscardInvalidValues input for 'each' input we need to
      validate against attacks or just one DiscardInvalidValues for the
      entire form?

      Regards,
    • Manuel Lemos
      Hello, ... No, that is meant to reject invalid values spoofed via hidden fields. For instance, if you have a form to edit a database record and you use an
      Message 2 of 2 , Apr 2, 2006
      • 0 Attachment
        Hello,

        on 04/01/2006 06:58 AM Shekar C. Reddy said the following:
        > I'm not clear with the usage of DiscardInvalidValues. Do we need to
        > add one DiscardInvalidValues input for 'each' input we need to
        > validate against attacks or just one DiscardInvalidValues for the
        > entire form?

        No, that is meant to reject invalid values spoofed via hidden fields.

        For instance, if you have a form to edit a database record and you use
        an hidden field to pass the record id, it would not make sense to tell
        the user that an hidden field is invalid because real users do not have
        way to change hidden fields.

        At the same time you cannot accept an invalid value (say record ids
        should be positive integers), so you need to set a validation rule to
        refuse invalid values.

        What happens is that when you use DiscardInvalidValues, the
        LoadInputValues function validates the input and if it is invalid it
        does not load the submitted value. This way any possibly spoofed values
        are discarded, and the initial input value is kept.

        If you set the initial value to 0 for instance, you may safely use it in
        queries without SQL injection risk . 0 is usually a safe record value
        because usually record ids start with 1, so even if you do not perform
        extra record existence check (which is still a good thing to do),
        attempts to update records with id 0 will not affect the database table,
        as there is no record with id 0.

        --

        Regards,
        Manuel Lemos

        Metastorage - Data object relational mapping layer generator
        http://www.metastorage.net/

        PHP Classes - Free ready to use OOP components written in PHP
        http://www.phpclasses.org/
      Your message has been successfully submitted and would be delivered to recipients shortly.