Tell me more ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote 1 down vote favorite

I was told to post this here - original post.

I'm fairly new to MVC concepts and PHP input validation.

I'm open to all input, but I'm largely wanting to know if the following:

  1. Follows the MVC pattern correctly - if not, how can I change it to better follow that?

  2. Has any huge apparent security flaws with the validation procedure - if so, what are they and do you have any suggestions for how I can address it?

The assumptions are that this form will be available to a pre-defined set of persons within my company on our intranet. It connects to a MySQL database through PDO and utilizes only parameterized queries when working with variables. The actual code checks many more fields and does it for Bid, Campus, Contact, and Company (all exist as seperate models and tables).

Bid_Controller.php

class Bid_Controller extends Controller{

    public function index(){
        //load default view that contains the initial form, form action targets the Bid_Controller->process method through routing
    }

    public function process(){
        $this->load->model('Bid_Model', 'bid');

        if($this->bid->validateBid()){
            // try to save the bid
            // show errors on fail, success message on success
        }else{
            // load default view, pre-populate fields, show form errors
        }
    }

}

Bid_Model.php

class Bid_Model extends Model{
    public $bid_date_open; // assume a POST of '9/17/2013' for this
    public $bid_location; // assume a POST of 'Texas' for this
    public $bid_company; // assume a POST of 'Walmart' for this
    public $probability; // assume a POST of '50' for this

    private $errors;

    public function validateBid(){

        $requiredFields = array(
            // format of 'field_name', FILTER_TYPE, FILTER_OPTIONS, 'Error Message.'
            array('bid_company', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH, "You must enter a company."),
            array('bid_location', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH, "You must enter a location.")
        );

        foreach ($requiredFields as $i => $data) {
            $sanitizedInput = filter_var($_POST[$data[0]], $data[1], $data[2]);

            if (empty($sanitizedInput)) {
                $this->$data[0] = null;
                array_push($this->errors, $data[3]);
            } else {
                $this->$data[0] = $sanitizedInput;
            }
        }

        $notRequiredFields = array(
            // format of 'field_name', FILTER_TYPE, FILTER_OPTIONS, 'default value'
            array('bid_date_open', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH, null),
            array('bid_probability', FILTER_SANITIZE_INT, null, null)
        );

        foreach ($notRequiredFields as $i => $data) {
            $sanitizedInput = filter_var($_POST[$data[0]], $data[1], $data[2]);

            if (empty($sanitizedInput)) {
                $this->$data[0] = $data[3];
            } else {
                $this->$data[0] = $sanitizedInput;
            }
        }
}

public function fetchErrors(){
    // if isset this->errors, return this->errors
}

public function saveBid(){
    // use the public variables above as parameters in PDO insert query
}

}

share|improve this question

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.