-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: only validate data from POST request body #695
Conversation
With the current data validation check, an empty POST request with valid GET parameters will cause the validation to pass but a TypeError will be thrown because on line 110 it is fetching null data from POST.
With the current data validation check, an empty POST request with valid GET parameters will cause the validation to pass but credentials which are later fetched from POST request body will be null.
With the current data validation check, an empty POST request with valid GET parameters will cause the validation to pass later when data is fetched from POST request body, it will be null.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. You're correct. Using $this->validate()
is not a good practice.
@miguel-rn Thank you! |
I noticed a related issue in the docs, I will make a pull request to update. |
Fix validation check to only validate POST request body. codeigniter4#695
This is good, but I have to ask. Is it possible for a |
Not that I'm aware of. The only way I could see anything like that happening is if the route was defined with |
|
Sorry, I misread that. You're correct. |
Maybe I didn't explain properly, I was actually talking about the $routes->get();
$routes->post(); For a route defined explicitly as |
My main concern is, for example, there is a route definition for the $routes->post('login', 'LoginController::loginAction'); Is it possible that |
Yes. Because
Yes. Because |
Thank you @kenjis. |
With the current data validation checks in the controllers, an empty POST request with valid GET parameters will cause the validation to pass. Since this data is always later fetched from the POST request body, it will be null and errors will be thrown.