Able to bypass validation when I set action param to an arbitrary value. Is this okay?
Able to bypass validation when I set action param to an arbitrary value. Is this okay?
amemon
Posts: 3Questions: 2Answers: 0
When I set the 'action' POST key to an arbitrary value, I appear to be able to bypass validation.
e.g.
Editor::inst( $db, 'bds_tblinitdetail', 'lngIdInitDetail' )
->fields(
, Field::inst('bds_tblinitdetail.intUnits')
->validator(Validate::numeric())
->validator(Validate::notEmpty())
...
, Field::inst('bds_tblinitdetail.lngIdBlast')
->validator(Validate::dbValues(
ValidateOptions::inst()
->message('Blast not found'),
'lngIdBlast',
'bds_tblblast'
))
->validator(Validate::notEmpty())
->validator(Validate::numeric())
)
->leftJoin('bds_tblinitiator', 'bds_tblinitiator.lngIdInitiator', '=', 'bds_tblinitdetail.lngIdInitiator')
->where('bds_tblinitdetail.lngIdBlast', $blast->lngIdBlast)
->process( $_POST )
->json();
It attempts to pass the invalid data to the db:
{"fieldErrors":[],"error":"An SQL error occurred: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: 'foo' for column 'intUnits' at row 1","data":[],"ipOpts":[],"cancelled":[]}
When the action is edit or create, it validates just fine:
{"fieldErrors":[{"name":"bds_tblinitdetail.lngIdInitiator","status":"Initiator not found"},{"name":"bds_tblinitdetail.intUnits","status":"Input not valid"},{"name":"bds_tblinitdetail.lngIdBlast","status":"Blast not found"}],"data":[]}
I'm initialising the Editor in a Laravel controller method.
This question has an accepted answers - jump to answer
This discussion has been closed.
Answers
Excellent point - thank you!
Fixed for:
Will all be included in the 1.9.1 which we are hoping will be tomorrow.
Allan