ZF-3563: Zend_Form_Element_Multi, when validating, do not confirm that the value is a valid selection

Issue Type: Improvement Created: 2008-07-02T16:51:06.000+0000 Last Updated: 2008-09-02T10:38:52.000+0000 Status: Resolved Fix version(s): - 1.6.0 (02/Sep/08)

Reporter: Darien Hager (hagerd) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Form

Related issues: - ZF-3286

Attachments: - zend_multi_fix.patch


It seems that the Zend_Form_Element_Multi can validate even though the data presented by the user does not match a valid option.

Example case: Create a form with a select box, such as "Title" with the options "Mr" and "Mrs". If a user POSTs results that contain "foo", it will still validate. While there are cases where you may wish to skip this kind of check, it strikes me as a serious hole in the validation strategy, specifically from a security standpoint.

I'm very much a newbie to Zend_Form, but I've attached a patch that seems to fix the problem for single and multi-selects.


Posted by Darien Hager (hagerd) on 2008-07-07T10:45:04.000+0000


In retrospect, this might be better solved in some cases with an automatic addition of the InArray filter (Zend_Validate_InArray)... I'm not sure how best to fix this issue, if it it should be fixed.

I guess the main point is that this is somewhere that there was a breakdown between developer assumptions of how Zend_Form's validation worked versus it's actual effects, and the proper action might be a documentation change instead.

Posted by Matthew Weier O'Phinney (matthew) on 2008-08-04T06:15:11.000+0000

I'm going to agree that an InArray validator should be added by default, and am scheduling for 1.6.

Posted by Matthew Weier O'Phinney (matthew) on 2008-08-04T13:26:55.000+0000

Closed with ZF-3286

Posted by Wil Sinclair (wil) on 2008-09-02T10:38:52.000+0000

Updating for the 1.6.0 release.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.