CakePHP绕过验证规则

时间:2013-01-05 01:40:07

标签: php validation cakephp

我有一个Post模型,它具有以下验证规则:

public $validate = array(
    'title' => array(
        'between' => array(
            'rule' => array('between', 1, 60),
            'message' => 'Between 1 and 60 characters in length'
        ),
        'format' => array(
            'rule' => array('custom', '~[a-zA-Z0-9\s-]~'),
            'message' => 'Alphanumeric characters, spaces and dashes (-) only'
        )
    ),
    'body' => array(
        'between' => array(
            'rule' => array('between', 1, 65535),
            'message' => 'Between 1 and 65535 characters in length'
        )
    ),
    'slug' => array(
        'between' => array(
            'rule' => array('between', 1, 60),
            'message' => 'Between 1 and 60 characters in length'
        ),
        'format' => array(
            'rule' => array('custom', '~[a-zA-Z0-9-]~'),
            'message' => 'Alphanumeric characters and dashes (-) only'
        )
    )
);

我还可以插入一个新帖子,如下所示:

<?php $this->Html->script('add-post', array('inline' => false)); ?>

<h1>Add post</h1>

<?php echo $this->Form->create('Post'); ?>
<?php echo $this->Form->input('title'); ?>
<?php echo $this->Form->input('body'); ?>
<?php echo $this->Form->input('slug'); ?>
<?php echo $this->Form->end('Publish'); ?>

现在,当我提交标题类似于blog post title £$&£$^£$的表单时,它会通过并插入,尽管正则表达式与该标题中的符号不​​匹配。这种情况发生在使用正则表达式检查格式的所有字段上。

但是,如果我尝试提交一条未通过between规则的帖子(如标题超过60个字符),则会成功引发验证错误。

这里可能出现什么问题?

1 个答案:

答案 0 :(得分:2)

您的正则表达式模式仅检查字符串中 where 中是否至少找到其中一个字符。因此,如果您仅发布£$&£$^£$,它将会失败,因为在该字符串中的任何位置都找不到有效字符。您应该用以下内容替换规则:

~^[a-zA-Z0-9\s-]+$~