all the validation on the Rule function Is server_side or client_side

all the validation on the Rule function Is server_side or client_side Rate Topic:

#1 za_al

Junior Member

Group: Members
Posts: 41
Joined: 06-March 12

Posted 06 June 2012 - 05:42 AM

Hi

When we validate a attribute in function rule. This validation is server side or client-side validation.
For example, a validation class for incoming file when this file:


public function rules()
   {

      return array(
              
                              array('file','ext.MyValidators.fileNameValidator'),
                               array('file', 'file', 'types'=>'pdf','message'=>'Only files with these extensions are allowed: pdf',
                                 'maxSize' => 1024 * 1024 * 2, // 2MB
                                 'minSize '=>1024 * 2,
                                 'tooLarge' => 'The file was larger than 2MB. Please upload a smaller file.',
                                 'tooSmall'=>'The file was Too Small. Please upload a larger file.',
                                 ),             );
   }

In other words, all the validation on the Rule function Is server_side or client_side validation

#2 kokomo

Standard Member

Group: Members
Posts: 281
Joined: 23-July 10

Posted 06 June 2012 - 08:55 AM

Everything is on the server.

But there is the option CActiveForm.enableClientValidation to enable client validation.
I have in mind that not all Yii Validator classes are supported for client validation.

This post has been edited by kokomo: 06 June 2012 - 08:56 AM

#3 jacmoe

Elite Member

Group: Moderators
Posts: 2,601
Joined: 10-October 10
Location:Denmark

Posted 06 June 2012 - 08:59 AM

/* Moved from Tips to General Discussion */

"Less noise - more signal"

#4 za_al

Junior Member

Group: Members
Posts: 41
Joined: 06-March 12

Posted 24 June 2012 - 05:31 AM

In order to secure file uploads should be check MIME types file, I use the following code but the worst scenario happens:

<?php
 function getMimeType( $file ) {
    $realpath = realpath( $file );

    if (
      $realpath
      && function_exists( 'finfo_file' )
      && function_exists( 'finfo_open' )
      && defined( 'FILEINFO_MIME_TYPE' )
    ) {

      return finfo_file( finfo_open( FILEINFO_MIME_TYPE ), $realpath );
    } elseif ( function_exists( 'mime_content_type' ) ) {
      return mime_content_type( $file );
    } else {
      // Worst-case scenario has happened, use the file extension to infer the mime-type
      $ext = strtolower( pathinfo( $file, PATHINFO_EXTENSION ) );
      if ( isset( self::$mimeTypes[$ext] ) ) {
        return self::$mimeTypes[$ext];
      }
    }
    return false;
	}

?>

Do yii solution or php solution to obtain the actual MIME type fo file?

#5 za_al

Junior Member

Group: Members
Posts: 41
Joined: 06-March 12

Posted 10 July 2012 - 07:05 AM

any one?

#6 jacmoe

Elite Member

Group: Moderators
Posts: 2,601
Joined: 10-October 10
Location:Denmark

Posted 10 July 2012 - 07:17 AM

Put it client side.

I've modified the run function of EJqueryUpload extension, like this:

	public function run() {

$script = <<<EOD
	$(function() {
    	$('#{$this->id}').change(function() {
        	var regexp = /\.(png)|(jpg)|(jpeg)|(gif)|(txt)|(patch)|(diff)|(bmp)|(log)|(zip)|(tgz)|(tar\.bz2)|(tar)|(tar\.gz)|(gz)$/i;
        	if (!regexp.test($('#{$this->id}').val())) {
            	alert('Only jpg, jpeg, gif, png, txt, patch, diff, bmp, log, zip, tgz, tar.bz2, bz2, tar, tar.gz and gz allowed');
            	$('#{$this->id}').val('');
            	return;
        	}
        	$(this).upload('{$this->url}', function(html) {
            	$('#{$this->id}').val('');
            	try{
                	var obj = jQuery.parseJSON(html);
                	if(obj.error) {
                    	alert(obj.error);
                    	return;
                	}
            	}
            	catch(e) {
            	}
            	$('#{$this->result_id}').append(html); 
        	}, 'html');
    	});
	});
EOD;
    	
    	Yii::app()->clientScript->registerScript(__CLASS__ . '#' . $this->id, $script, CClientScript::POS_READY);


    	echo "<input id='{$this->id}' type='file' name='file' />" ;
	}

It works for my project.

"Less noise - more signal"

#7 za_al

Junior Member

Group: Members
Posts: 41
Joined: 06-March 12

Posted 16 July 2012 - 04:20 AM

jacmoe, on 10 July 2012 - 07:17 AM, said:

Put it client side.

I've modified the run function of EJqueryUpload extension, like this:

	public function run() {

$script = <<<EOD
	$(function() {
    	$('#{$this->id}').change(function() {
        	var regexp = /\.(png)|(jpg)|(jpeg)|(gif)|(txt)|(patch)|(diff)|(bmp)|(log)|(zip)|(tgz)|(tar\.bz2)|(tar)|(tar\.gz)|(gz)$/i;
        	if (!regexp.test($('#{$this->id}').val())) {
            	alert('Only jpg, jpeg, gif, png, txt, patch, diff, bmp, log, zip, tgz, tar.bz2, bz2, tar, tar.gz and gz allowed');
            	$('#{$this->id}').val('');
            	return;
        	}
        	$(this).upload('{$this->url}', function(html) {
            	$('#{$this->id}').val('');
            	try{
                	var obj = jQuery.parseJSON(html);
                	if(obj.error) {
                    	alert(obj.error);
                    	return;
                	}
            	}
            	catch(e) {
            	}
            	$('#{$this->result_id}').append(html); 
        	}, 'html');
    	});
	});
EOD;
    	
    	Yii::app()->clientScript->registerScript(__CLASS__ . '#' . $this->id, $script, CClientScript::POS_READY);


    	echo "<input id='{$this->id}' type='file' name='file' />" ;
	}

It works for my project.

Thank you for your answer. But client-side validation does not provide real security.