A
A
Alexey Vasilyevich2017-02-15 19:53:12
Yii
Alexey Vasilyevich, 2017-02-15 19:53:12

Tighten or relax data validation rules?

Share your opinion / experience - what, in your opinion, is the right thing to do?
Data comes from the user to the server (let it be on, for example, Yii2). Validation rules are applied, then we save them to the database. How to tighten the data validation conditions - from the framework to the database (i.e. the framework should be more meticulous) or vice versa?
For example, we get some item_id
- first we make sure that this is a positive integer
- then we check that this same item_id is in the items table
- ...
- we save it in the database
or
- just make sure that item_id != null
- we save it in the database , while the field (when creating a table) is set as INTEGER UNIQUE
In the first case, we catch errors on the approach, in the second - already in fact (exceptions) The
question, perhaps, is from a series of felt-tip pens, but suddenly there are some serious arguments in favor of the first or second approach.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
X
xmoonlight, 2017-02-15
@xmoonlight

There is a clear logic for this situation:
1. On the framework, we only check the data type:
is item_id a positive integer?
1.1 Yes - it means we pass it to the template for generating a query to the database
1.2 No - we generate an error to the framework, as the invalidity of the user's input data.
2. for existence - checks the save request in the database through WHERE, thus - one request, instead of two and a check - we give it to the database and catch the request execution code.
If the request to add to the database was not successful:
2.1 either request detailed information about the error,
2.2 or DO NOT request and immediately generate an error adding to the framework.
The cheat sheet looks like this :
1. We validate the data before using it directly.
2. If the receiving party (system module) performs validation without security implications and with the necessary processing logic preserved, we always send the validation to the receiving party (in this example, this is the database server).

A
Axian Ltd., 2017-02-15
@AxianLTD

IMHO Depends, among other things, on whether you will give an error or not and how detailed

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question