Comments on: On input validation 2

By: M_flash

M_flash — Wed, 11 Jul 2007 20:09:00 +0000

Hey Naneau!

Thank you for your help on zftalk! I’ve gotten started and really love this approach.

I’ve worked to avoid the double submit issue and I just wanted to share my approach that seems to work:

* Javascript part in formvalidation.js*
submit: function(e) {
Event.stop(e);
//stop the submit

var test = $$(‘#’ + this.form.id);

var el = $$(‘#’ + this.form.id + ‘ input.submit’);
if (el) {
el[0].spinBeside(‘Validating’, this.form.id);
el[0].disabled = true; // Simple stopping of double submitting
}

this.doRequest(this.validateUrl + ‘form/form/’ + this.type, true);
},

** And this part is in the onComplete function after failure is set to halt after token error – see below **
if (!data.messages && data.token_error)
{
var html = ‘Critical error: ‘ + data.token_error;
html += ”;

el[0].value = “X”;
el[0].disabled = true;
el[0].addClassName(‘error’);
new Insertion.After(el[0], html);
}
* Server part (see http://phpsecurity.org/ch02.pdf page 27) *
*- index.php -*
if (isset($_POST) && $_POST != array())
{
if (!isset($_SESSION['token'])
|| $_POST['token'] != $_SESSION['token'])
{
die(“{’sucess’: false, ‘token_error’: ‘Invalid token – either you have submitted the form twice or you are an unauthorised user. Please contact admin if this is not correct.’}”);
}

$token_age = time() – $_SESSION['token_time'];
$max_token_age = 60*60*3;
if ($token_age > $max_token_age)
{
die(“{sucess: false; ‘token_error’: ‘Token timeout – you have been away for to long, form invalid.’}”);
}
}

$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();

*- FormValidateController.php -*
protected function sendJsonResponse($return){
// Reset token since AJAX causes multiple calls with the same SESSION token
$_SESSION["token"] = $_POST["token"];
echo (Zend_Json::encode($return));
die();
}

By: Naneau

Naneau — Tue, 22 May 2007 14:54:01 +0000

Yes, that is the basic flow. I haven’t explained the javascript part in detail, but you did get the gist of it. I have a single controller (the url for which is in the forms.js file). The ajax request to that controller gets an argument which form it is (which the javascript gets out of the id of the form) and is therefore able to find a validator for it, and validate all fields.

If the form is valid it does a “real” submit of the form. Because you can’t rely on JavaScript validation, you have to validate it again on the server after that submit. In the demo application you just get redirected back to the demo form, but in a real world scenario you would probably want to redirect to something useful, and alert the user that his data has been saved.

The someAction could just be any normal controller action where you would have the need for a form.

By: dino

dino — Tue, 22 May 2007 12:55:37 +0000

hey, so now I start^^
This is how i understood your way (the action names are copied from the example above)
someAction():
displays the form and includes http://naneau.nl/zf/js/application/formvalidator/forms.js

onSubmit() of the form:
ajax request to the url in the forms.js, the action should be formAction(), right?
This actions checks all values and validates them and send the json response

if the validation was successful, the javascript performs a page refresh to the someAction(); and validates it again (if the user doesn’t allow js or something else) and then it performs the form

Hope i understood you well, else correct me

By: Naneau

Naneau — Tue, 22 May 2007 02:14:55 +0000

The validator class is just an example of how you might do input validation. You should subclass it to create something usable, see the first code example in the post on how you should do that. Using it is something different. I tried to make it broadly applicable, you could just validate $_POST, but there’s also a field-validating method. There are phpdoc-blocks for each method.

I found that I needed a concept of ‘required’ fields. Those fields get checked no matter what, and will raise an error if they are empty(). Non-required fields will only get checked if they have contents. See the demo to get an idea of how that works.

By: dino

dino — Mon, 21 May 2007 21:19:28 +0000

First of all, thank you. But I’m not able to work with this example, I don’t know exactly if it’s just my tiredness or something else… So I will wait until you post the whole example with all files I’m watching you

best regards

By: Naneau

Naneau — Mon, 21 May 2007 18:58:59 +0000

I’ve put it up, see the end of the post. I must warn you though, I have not tested it thoroughly.

By: dino

dino — Mon, 21 May 2007 17:44:54 +0000

Okay, then I hope “soon” is really soon and not just in a few weeks

By: Naneau

Naneau — Mon, 21 May 2007 16:17:34 +0000

I’m working on a code browser for things like this, expect either that, or some kind of other download with this and other classes sometime soon…!

P.S. Thanks

By: dino

dino — Mon, 21 May 2007 14:38:22 +0000

Hi,

nice page! I think you’re on a good way with this blog because you always post some nice hints how to work with the Zend Framework and other nice functions like the CSS Charts
This topic over here looks also very interesting because there are a lot of (older) solutions but they don’t fit in the framework. But can you be so kind to post the whole example sourcecode? (for example the Naneau_Validator_Abstract class).

Best regards,
dino

By: Naneau

Naneau — Sun, 20 May 2007 13:45:14 +0000

Interestingly enough, though totally unrelated, my javascript external link checker thinks that http://www.naneau.nl/ isn’t the same thing as http://naneau.nl/ . I should fix that Even though I’m opposed to adding the totally obsolete www part to my URIs if I can avoid it.