Simon Corless wrote: > > > > fab2008 wrote: >> >> Hi all, >> >> I want to ask a simple question about validating user input especially >> the input from the url taken with $this->_getParam(). An example: >> >> Currently I write my models assuming that the parameters are correct, >> this mainly because the data are taken using a Zend_Form subclass and the >> validators make the hard job, but I have a doubt because on the other >> side the model classes are not safe used alone and they often needs >> controls on params correctness otherwise they may go into an inconsistent >> state, or even worse they could have some security vulnerability if used >> without those checks. >> >> What do you suggests? >> > > I believe the consensus around here is the fat model skinny controller > concept, try searching the news group on Nabble for it, basically your > model should handle all it's ins and outs from any data and your > controller does very little other than call various models as required. > > You may also want to look in to Zend_Form and it's use as a validator > which you can then call in your model to validate and filter the data. > > In short it's probably 'best' to change to your second method! > > Simon >
Thanks for the answer, I've also found this article and it clarifies some aspect of what you saying: http://www.survivethedeepend.com/zendframeworkbook/en/1.0/the.model One more thing, about the forms, currently I use redirect after post pattern, so my actions that involve a form are like this code: public function someAction() { $form = $this->view->form = new someForm(); if ($this->getRequest()->isPost() && $form->isValid($_POST)) { // stuff with model and form data ... // redirect to another page $this->_helper->redirector(...); } } Is this correct respect or should I move form instantiation and creation into the model? I think that the form should be created outside the model because it is MVC related, not model related. Moreover, if I want to use my model in non MVC environment, such as a cronjobs, or in unit testing, the model would be unusable. But if these assertions are correct, should I duplicate (aargh!!!) the input validation in the model to keep it secure against wrong data? This is not very clear to me. -- View this message in context: http://www.nabble.com/Models-and-input-validation-best-practices-tp22691571p22715633.html Sent from the Zend Framework mailing list archive at Nabble.com.
