CakePHP data validation
You now have a brief look at CakePHP data validation by putting in some
basic validation for users based on defined regular expressions. By
defining your own regular expressions for data validation, you can
exercise more control over the pass/fail criteria for individual form
fields within Tor.
The Tor user model
Take another look at the user model.
Listing 21. The user model
<?php
class User extends AppModel
{
var $name = 'User';
var $validate = array(
'username' => VALID_NOT_EMPTY,
'password' => VALID_NOT_EMPTY,
'email' => VALID_EMAIL
);
}
?>
|
This is a good start, but it's not enough. You'll want to make sure the
field lengths are honored and that the username does not already
exist. You will accomplish this by defining your own regular
expressions for validation and defining a function to check the users
table for a username before saving the user.
Regular expressions
(briefly)
A full discussion about how regular expressions is outside the scope of
this tutorial. The PHP Manual contains information about regular
expressions in PHP and should be reviewed before going too far in
rolling your own data validation regular expressions (see
Resources).
A regular expression is basically a pattern of characters used
for comparing one string to another. For example, the character
* in a regular expression will match any
character, any number of times. If you don't know anything about
regular expressions, don't worry. The example below should help get
you started.
Roll your own
validation
CakePHP provides some built-in data validation regular expressions,
including:VALID_NOT_EMPTY,
VALID_NUMBER,
VALID_EMAIL, and
VALID_YEAR. These constants are defined in
cake/libs/validators.php and shouldn't be modified, although you may
find it helpful to review them.
For the username and password fields, you need to validate that the
submitted data is no longer than 40 characters. It is also helpful to
verify that the username and password are at least six characters. A
regular expression to match strings with a length between six and 40
characters would look something like this:
/^.{6,40}$/. Reading that regular expression from left to right:
/ — Marks the beginning of the regular
expression^ — Says from the beginning of the
string. — Says any one character{6,40} — Says at least six times, but no more than 40 times$ — Says and the string ends/ — Marks the end of the regular
expression
So, read altogether, this regular expression says "from the beginning
of the string, one or more characters, at least six but not more than
40, and the string ends."
To put the regular expression to use (see Listing 22), replace the
instances of VALID_NOT_EMPTY with the
regular expression, in single quotes (to prevent PHP from trying to
interpret any of the special characters).
Listing 22. Regular expression in PHP script
<?php
class User extends AppModel
{
var $name = 'User';
var $validate = array(
'username' => '/^.{6,40}$/',
'password' => '/^.{6,40}$/',
'email' => VALID_EMAIL
);
}
?>
|
Make sure you've saved all of your files, go back to
http://localhost/users/register, and try to register a user with a
four-character username. You should see something like Figure 11.
Figure 11. Data validation
Regular expressions are versatile, but they can't do things like tell
you if a username has already been registered.
Taking validation
further
Sometimes you can't tell if data is valid just by looking at it. For
example, the username may be between six and 40 characters, but you
will have to check the database to see if the username is already
taken. CakePHP provides the ability to manually mark a field as
invalid. Take a look at the beforeValidate
method in Listing 23. This method would be added to the user
model.
Listing 23. Validate the username
function beforeValidate() {
if (!$this->id) {
if ($this->findCount(array('User.username'
=> $this->data['User']['username'])) > 0) {
$this->invalidate('username_unique');
return false;
}
}
return true;
}
|
This method tells the model that before any validation is run, check to
see if the submitted data has an ID. If there is no ID, look for other
users with the same username. If there are any, mark the username field
invalid and skip any remaining validation (return false). You can take
full advantage of this by changing the username input line in the
register.ctp view to the following.
Listing 24. New username input line
echo $form->input('username', array('after' => $form->error
('username_unique', 'The username is taken. Please try again.')));
|
This tells the register view what to do when encountering error
messages called 'username_unique' like you designated in the
beforeValidate method.
Save your files and try it out. Go to
http://localhost/user/knownusers to get a list of existing users. Then
go to http://localhost/user/register and try to create one with the
same username. You should see the following.
Figure 12. Data validation
successful
Good data validation is an important step in creating any secure
application. As you build the Tor application, look for opportunities
to improve the data validation. Don't be afraid to put in more data
validation than this tutorial demonstrates. Never assume your users
are sending you the data you asked for. Validate everything. CakePHP
makes it easy.
| 
