You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ukuser36 opened this issue
Mar 19, 2024
· 3 comments
Labels
duplicateIssue or pull request duplicates an already existing issue/pull requestwontfixCurrent code behavior being reported or fixed is intentional and won't be changed
Which operating systems have you tested for this bug?
Linux
Which server did you use?
apache
Database
MySql 8
What happened?
When providing an array to the Validation run() function, if a field isn't present and you also have a placeholder field in the same rule set (having been set with setRules() (such as required|is_unique[users.Email,UserID,{UserID}]) then $this->retrievePlaceholders($row, $data); is incorrectly returning results for fields that aren't in its scope of validation. As such the error gets trigggered No validation rules for the placeholder when the field isn't actually present in the ruleset.
Steps to Reproduce
For example, the following is passed to setRules()
Array
(
[UserID] =>
[UserType] => 2
[CompanyID] => 1
[FirstName] => New
[LastName] => user
[Email] => [email protected]
[UserLevel] => user
[ResetPass] => 0
)
The error is generated "No validation rules for the placeholder: UserID" but clearly this isn't in the rule set
Expected Output
No error regarding placeholders to be reported.
Anything else?
The solution is to clearly remove the data prior to submitting it to run() however run should only be validating data it needs to and not every field given.
The text was updated successfully, but these errors were encountered:
Ukuser36
added
the
bug
Verified issues on the current code behavior or pull requests that will fix them
label
Mar 19, 2024
kenjis
removed
the
bug
Verified issues on the current code behavior or pull requests that will fix them
label
Mar 19, 2024
The error message may be not good, but what the message is trying to tell you is that you must validate the placeholder field. How do you think we can improve the error messages?
however run should only be validating data it needs to and not every field given.
No. You must validate all user input. Because attackers can send any data to your server.
If you don't validate all user input, it is just a bad practice.
The rule is_unique[users.email,id,{id}] will be is_unique[users.email,id,4] in the example.
And it would generate a SQL statement with something like id != 4.
Then, what if an attacker send $_POST['id'] = '1; TRUNCATE TABLE users; --'?
In that case, CI4's Query Builder will protect it, so no SQL statement will be created that would cause TRUNCATE TABLE users; to be executed.
However, there is no need to process invalid data such as '1; TRUNCATE TABLE users; --' in the first place.
Your app should validate it before processing, and stop to process.
duplicateIssue or pull request duplicates an already existing issue/pull requestwontfixCurrent code behavior being reported or fixed is intentional and won't be changed
PHP Version
8.2
CodeIgniter4 Version
4.4.4
CodeIgniter4 Installation Method
Manual (zip or tar.gz)
Which operating systems have you tested for this bug?
Linux
Which server did you use?
apache
Database
MySql 8
What happened?
When providing an array to the Validation
run()
function, if a field isn't present and you also have a placeholder field in the same rule set (having been set withsetRules()
(such asrequired|is_unique[users.Email,UserID,{UserID}]
) then$this->retrievePlaceholders($row, $data);
is incorrectly returning results for fields that aren't in its scope of validation. As such the error gets trigggeredNo validation rules for the placeholder
when the field isn't actually present in the ruleset.Steps to Reproduce
For example, the following is passed to
setRules()
But the data provided to
run()
is:The error is generated
"No validation rules for the placeholder: UserID"
but clearly this isn't in the rule setExpected Output
No error regarding placeholders to be reported.
Anything else?
The solution is to clearly remove the data prior to submitting it to
run()
however run should only be validating data it needs to and not every field given.The text was updated successfully, but these errors were encountered: