Geek Answers Handbook

Should validation be done on Form or model objects?

This question is mainly focused on Zend in PHP, although it certainly applies to other languages ​​and frameworks, so I welcome any opinion.

I only recently used the Zend framework, and although it is not perfect, I had a pretty good time with it. However, one thing that drives me crazy is that most of the examples that I see for people using Zend do alimony in special form objects , not in the model. I think this is bad practice, because the data can be entered into the system in other ways than entering the form, which means that either the validators must be bent and twisted to check another input, or the validation must be done in second place, and the logical duplication.

I found some other posts and blogs there with people who feel the same way I do, but the Zend developers made this choice for some reason, and other people seem to use it without a problem, so I wanted to get feedback from community here.

As I said, this mainly applies to Zend, although I consider it important to consider the problem as a whole, and not work within the framework of Zend, since Zend was designed so that you can use as much or as little as you want.

+4
source share
8 answers

This is an uncertain answer, but I believe that the model should be responsible for the reliability of its data. If so, then the validation belongs to the model, however it may not always be achievable, and it may be necessary to perform a check in the view, however I think that this should be in addition to the check performed in the model, and not a replacement for it.

The problem with only validation in the view is that at some point you will probably need a different view of your data. Your site may become popular, and customers are requesting an XML-based API to generate their own views. Then do you rely on the client to verify the data?

Even if you don’t need to provide APIs, some clients may want customized views to be different enough to guarantee a completely different version of the page, and now you are checking for duplicate views.

I think the ideal scenario is for your model to validate, but for the validation results to be visible, to read and display the page again with the validation results displayed.

I think it is reasonable that the view perform validation if you want to instantly display validation data for the user, etc., but the final decision on the validity of the data should be left with the model.

+3
source

Well, validation can be done at different levels, and usually none of them is "best." Of course, the model can be filled with invalid data that does not come from the form, but we can also create forms whose data does not fall into any model.

In addition, direct validation in models is not integrated with our form visualization system, which causes problems if we want to show error messages and re-fill the form with the data entered by the user.

Both solutions have their pros and cons. It would be ideal to have a system that ensures that the final audit must be carried out at some level. If the form does not validate some data, then the model does and vice versa. Unfortunately, I have not heard of such a library, but I must note that the validators in the infrastructure are independent of the source. You can pass POST data to them, but the same thing can be done with information obtained from correctly analyzed CSVs, MYSQL databases, etc.

+3
source

It is important to remember that data validation related to the application does not always coincide with data validation related to the database schema.

Consider a simple registration form in which a user creates an account with a username and password. You do a password check because you want it to be the X number of characters in length and contain a good combination of character types (or something else).

But none of this has anything to do with checking the data to insert the database, since you are not going to store text passwords - you are going to somehow save the hash from them (md5, md5 + salt, no difference). Instead, you can make sure that you have a 32-character hexadecimal string, so it will most likely be a properly created MD5 hash.

This password example is not the only scenario, just good for explanation here in this section.

So what is the answer? I don’t think there are any one-time solutions. Sometimes you need to (need?) Double-check the data. Sometimes you will only do this once in the Model. Just match it as best as possible with the needs of your application.

+3
source

Perhaps you should take a look at Using Zend_Form in your models Matthew Weier O'Finney - one of the leading developers of the Zend Framework - for his view of this question.

+3
source

I do not know Zend. But.

Your model should receive reliable data. The model and methods do not have to validate the data again and again. Of course, there must be functions that perform the actual check, and they should be called from the gui check or from another data entry point.

The best you can do on the side of your model is to call “Approval” in all the data to be sure of the development time when the validation has been replaced.

The lower code level (UI, model, utils) should be less than the verification and verification code. As then, there is a high probability that the same validation will be caused by more than one.

0
source

How about doing aesthetic validation in form and validating business rules in a model.

Take the registration form, for example.

The form will ensure that the email field is truncated and contains a valid email, that the password / password confirmation field is identical, and that the user has selected the I agree to the conditions box.

The registration model will make sure that the letter has not yet been sent in the table, will salt and hash the password.

As I usually separate the two.

0
source

User input should be checked when it is entered because it is specific to the recording form (i.e. does some form validation - make sure the text fields that must have numbers are numbers).

The business logic should probably be tested on the model as it is model (i.e. make sure they already reserved the same room or something like that).

The problem with checking it at the model level is that the model can be used in different ways. Correct input for one scenario may be incorrect for another.

Another problem is that you usually need some context checking, for example when displaying a red block around a form control that has bad input.

A model or database may perform some additional validation to ensure that the user code is not doing something completely wrong (restrictions, etc.).

0
source

Peter Bailey's password example is great. The user model can only check if a password has been set (since it was not saved as plain text but as a hash), while input verification can ensure that the original text password meets the security requirements (number of characters, ...). Therefore, you need both: model validation and form / input validation, ideally as a separate reusable component, and not directly in the bloated controller actions.

Think of validating the input as validating a white list ("accept known good") and confirming the model as validating a blacklist ("reject known bad"). Whitelisting is safer, while blacklisting prevents your model layer from being overly restrictive to very specific use cases.

Incorrect model data should always throw an exception (otherwise the application may continue to work without noticing errors), while invalid input values ​​coming from external sources are not unexpected, but rather ordinary (unless you have received users who never make a mistake).

See also: https://lastzero.net/2015/11/form-validation-vs-model-validation/

0
source

More articles:


All Articles