andrey613 / php-form-builder-class

Automatically exported from code.google.com/p/php-form-builder-class
GNU General Public License v3.0
0 stars 0 forks source link

Validation flaw if session is expired #141

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Hi,

I'm studying this plugin to see if I can use it for a project.

I studied how validation work, and I found a flaw: function Form::isValid() 
returns true by default. If session is expired it can't retrieve the serialized 
form object with validation settings, so it skips validation and returns true 
as if it was valid.

You can reproduce the bug using the validation.php example:
1) Open http://www.imavex.com/pfbc2.x-php5/examples/validation.php
2) Delete the session cookie
3) Enter invalid data and submit the form

Redirect occurs, but no error messages are shown. Function 
Form::isValid($_POST["form"]) returns true, so if you "proceed with further 
processing" as suggested by comments in validation.php, you may work on invalid 
data, possibly leading to further problems.

So i think Form::isValid() should return false if it can't retrieve the 
original form in session, and an error message should be shown.

Original issue reported on code.google.com by fabiofab...@gmail.com on 27 Jun 2011 at 7:21

GoogleCodeExporter commented 8 years ago
Thanks for the feedback.  I agree with you and will make this update for the 
2.3 version release.

- Andrew

Original comment by ajporterfield@gmail.com on 28 Jun 2011 at 6:37

GoogleCodeExporter commented 8 years ago
r531 provides a solution to this issue.

Original comment by ajporterfield@gmail.com on 30 Jun 2011 at 3:08