Best IT Recipes

MVC: Should I introduce form validation rules in a controller or model?

On the one hand, form validation can be considered as part of the application logic and, therefore, belonging to the model.

On the other hand, it directly relates to input coming from the view, and handles display errors, etc. From this angle, it makes sense to add it to the controllers.

Which one is the right MVC approach?

PS my form check actually consists only in writing a list of fields, their rules and passing them to the form check library, which returns true / false whether it passed the check or not.

Example:

$this->load->library('form_validation'); $this->form_validation->set_rules('name', 'Name', 'required'); $this->form_validation->set_rules('email', 'Email', 'required|valid_email'); //........ if ($this->form_validation->validate()) // Process data else $this->register_form(); //A controller action that will show a view with errors

Should this be placed in a controller or model?

+49
php codeigniter
Apr 13 2018-11-11T00:
source share
9 answers

Validation is a model issue. Only the model knows what your data looks like. You describe your data fields in a model, so you must describe validation rules for these fields in the same place.

It seems obvious to me, but I enjoy listening to opponents.

+18
Apr 13 2018-11-11T00:
source share

Ideally, you want 3 levels of verification:

  • View: Client side (javascript check, html5, etc.). This detects obvious errors and omissions before the data enters the controller, losing user time and causing unnecessary page loading if there are errors.
  • Controller This is your Level Form . Controllers are usually designed to directly enter input and send it to the model. It is very rare that each field in your form has a directly related column in your database, you usually need to somehow modify the data before passing it to the model. Just because you have a field to check is called “confirm email”, this does not mean that your model will deal with “confirm email”. Sometimes this will be the final step of verification.
  • Model . This is your last line of defense for verification, and perhaps your only verification if you send data to the model without directly entering it from the form message. There are many times when you need to send data to the database from a controller call or with data that is not a user. We do not want to see database errors, we want to see errors caused by the application itself. Typically, models should not deal with $ _POST data or the user directly, they should receive data from the controller. You do not want to deal with useless data here, as an email confirmation.
+71
Apr 13 '11 at
source share

I would say that the form validation code should be in the controller (and not in the model) in most cases.

Madmartigan is best mentioned in his comment above, “Validation of the form! == Validation of data. Not all forms interact with the model”

Web forms are logically part of the View / Controller MVC part because the user interacts with them in the view.

+12
Apr 13 2018-11-11T00:
source share

Everyone seems to always say that the model conveys this question, which has its merits (compared to the opposite), but I think the answer to this question is more sophisticated. Validation of the data itself must be performed on the model.

But there are other types of checks , for example, whether the form was submitted with unexpected fields (for security purposes, obviously), or if the user has permission to perform the requested operation. By putting these types of validation into the model, it cements the model (data abstraction) to completely separate things, such as how the user system works or how form submissions are evaluated for security purposes.

You can imagine changing one of these classes or class systems, and then a mess, because you also have to change all your models. While controllers are the intermediary between client input and data: in this role they are the correct validators of the above examples and probably many others.

+5
Jul 28 '13 at 0:59
source share

Given other answers (and some research), if you must verify the data using rules such as non-empty fields, email authentication, etc., the controller should not pass this data through itself, but if you have rules like "only a user with a reputation of more than 150 can vote for the answer, "you must do this at the model level.

If you want to check business rules, I advise you to have an object such as a business object template , and in any part of the software, when you want to "vote for an answer", your business logic is saved and centralized.

+2
Feb 27 '12 at 18:56
source share

This is an interesting theoretical discussion, but if we focus on the fact that the question was asked in the context of Codeigniter (CI):

In CI, you can specify your own validation rule as follows:

 $this->form_validation->set_rules('email', 'Email', 'required|callback_my_validation');

In this case, you must define a public function called "my_validation", which should return true or false, and the framework will add an error (if false is returned) to the error stack.

So ... if you put this code in the controller, you inadvertently publish a public url , that is, you could call something like http://yoursite.com/my_validation "(I don’t think you mean it). the way to protect this url is to go into the “routes.php" file and prevent access to that url. This does not seem practical and seems to indicate that the CI developers intended to handle validation in the model.

+2
Dec 24 '13 at 2:41
source share

The model must validate its own data.

Say you have a contact model that only needs a name and phone number. He must confirm that the name and phone number are completed.

However, if this contact model is part of a quote, you may need a full name and email address.

In this case, you can either expand the Contact model (become the QuoteContact model), or add additional checks, or perform additional checks in the Quote model.

You must write your models so that they can be reused in other applications (even if they never will), so they must be independent of the controller. If the checks are in the controller, you lose these checks if you switch to the command line version.

+1
Nov 29 '11 at 19:39
source share

If you validate the form on the server using codeigniter, then it validates in the controller

You need to enable the form_validation library with autoload like this

 $autoload['libraries'] = array("form_validation")

OR directly you load into the controller

 $this->load->library('form_validation');

Then you set a validation rule for each form field

 $this->form_validation->set_rules('username', 'User Name', 'required'); $this->form_validation->set_rules('useremail', 'User Email', 'required|valid_email');

If any error is found after checking the form field, then it will catch in the check function

 if ($this->form_validation->validate()) { //return back to form } else { //successful validate all field }
0
Jul 29 '14 at 9:33
source share

There is another angle that is not addressed in other answers. It depends on what you say that you are Controller / View ! If this is Javascript that validates as a user type, for security reasons , you should also have validation on your server (this could again be in the controller of your internal server or model, because anyone can simply click Data via Ajax without a browser.

For performance reasons, you must have validation in your external controller / view, since you don't want to hit your database every time the user selects an invalid date of birth or something else.

Therefore, in addition to the theoretical basis of validation in M, V, and / or C, you should also consider the practicality of frontend vs backend regardless of MVC.

My personal recommendation is not to limit yourself to just one level of verification. Incorrect verification (for example, the password confirmation example mentioned in other answers) can have serious consequences for the architecture.

0
Nov 12 '14 at 6:08
source share


More articles:


All Articles