za_al
(Zakieh Alizadeh)
June 6, 2012, 10:42am
1
Hi
When we validate a attribute in function rule. This validation is server side or client-side validation.
For example, a validation class for incoming file when this file:
public function rules()
{
return array(
array('file','ext.MyValidators.fileNameValidator'),
array('file', 'file', 'types'=>'pdf','message'=>'Only files with these extensions are allowed: pdf',
'maxSize' => 1024 * 1024 * 2, // 2MB
'minSize '=>1024 * 2,
'tooLarge' => 'The file was larger than 2MB. Please upload a smaller file.',
'tooSmall'=>'The file was Too Small. Please upload a larger file.',
), );
}
In other words, all the validation on the Rule function Is server_side or client_side validation
kokomo
(Mwerlberger85)
June 6, 2012, 1:55pm
2
Everything is on the server.
But there is the option CActiveForm.enableClientValidation to enable client validation.
I have in mind that not all Yii Validator classes are supported for client validation.
jacmoe
(Jacob Moena)
June 6, 2012, 1:59pm
3
[color="#006400 "]/* Moved from Tips to General Discussion */ [/color]
za_al
(Zakieh Alizadeh)
June 24, 2012, 10:31am
4
In order to secure file uploads should be check MIME types file, I use the following code but the worst scenario happens:
<?php
function getMimeType( $file ) {
$realpath = realpath( $file );
if (
$realpath
&& function_exists( 'finfo_file' )
&& function_exists( 'finfo_open' )
&& defined( 'FILEINFO_MIME_TYPE' )
) {
return finfo_file( finfo_open( FILEINFO_MIME_TYPE ), $realpath );
} elseif ( function_exists( 'mime_content_type' ) ) {
return mime_content_type( $file );
} else {
// Worst-case scenario has happened, use the file extension to infer the mime-type
$ext = strtolower( pathinfo( $file, PATHINFO_EXTENSION ) );
if ( isset( self::$mimeTypes[$ext] ) ) {
return self::$mimeTypes[$ext];
}
}
return false;
}
?>
Do yii solution or php solution to obtain the actual MIME type fo file?
jacmoe
(Jacob Moena)
July 10, 2012, 12:17pm
6
Put it client side.
I’ve modified the run function of EJqueryUpload extension, like this:
public function run() {
$script = <<<EOD
$(function() {
$('#{$this->id}').change(function() {
var regexp = /\.(png)|(jpg)|(jpeg)|(gif)|(txt)|(patch)|(diff)|(bmp)|(log)|(zip)|(tgz)|(tar\.bz2)|(tar)|(tar\.gz)|(gz)$/i;
if (!regexp.test($('#{$this->id}').val())) {
alert('Only jpg, jpeg, gif, png, txt, patch, diff, bmp, log, zip, tgz, tar.bz2, bz2, tar, tar.gz and gz allowed');
$('#{$this->id}').val('');
return;
}
$(this).upload('{$this->url}', function(html) {
$('#{$this->id}').val('');
try{
var obj = jQuery.parseJSON(html);
if(obj.error) {
alert(obj.error);
return;
}
}
catch(e) {
}
$('#{$this->result_id}').append(html);
}, 'html');
});
});
EOD;
Yii::app()->clientScript->registerScript(__CLASS__ . '#' . $this->id, $script, CClientScript::POS_READY);
echo "<input id='{$this->id}' type='file' name='file' />" ;
}
It works for my project.
za_al
(Zakieh Alizadeh)
July 16, 2012, 9:20am
7
jacmoe:
Put it client side.
I’ve modified the run function of EJqueryUpload extension, like this:
public function run() {
$script = <<<EOD
$(function() {
$('#{$this->id}').change(function() {
var regexp = /\.(png)|(jpg)|(jpeg)|(gif)|(txt)|(patch)|(diff)|(bmp)|(log)|(zip)|(tgz)|(tar\.bz2)|(tar)|(tar\.gz)|(gz)$/i;
if (!regexp.test($('#{$this->id}').val())) {
alert('Only jpg, jpeg, gif, png, txt, patch, diff, bmp, log, zip, tgz, tar.bz2, bz2, tar, tar.gz and gz allowed');
$('#{$this->id}').val('');
return;
}
$(this).upload('{$this->url}', function(html) {
$('#{$this->id}').val('');
try{
var obj = jQuery.parseJSON(html);
if(obj.error) {
alert(obj.error);
return;
}
}
catch(e) {
}
$('#{$this->result_id}').append(html);
}, 'html');
});
});
EOD;
Yii::app()->clientScript->registerScript(__CLASS__ . '#' . $this->id, $script, CClientScript::POS_READY);
echo "<input id='{$this->id}' type='file' name='file' />" ;
}
It works for my project.
Thank you for your answer. But client-side validation does not provide real security.