Details about the field validity check of the new ThinkPHP3.1 feature

The validity detection of fields submitted by the form can better protect data security. This feature is an important part of the 3.1 security feature. This article mainly introduces the legality detection of ThinkPHP3.1 fields.

The validity detection of fields submitted by the form can better protect data security. This feature is an important part of the 3.1 security feature. This article mainly introduces the legality detection of ThinkPHP3.1 fields.

ThinkPHP3.1 adds the validity check of fields submitted by the form to better protect data security. This feature is an important part of the 3.1 security feature.

The validity check of form fields takes effect only when the create method is used to create data objects. There are two methods:

I. Attribute Definition

You can configure insertFields and updateFields attributes for the model to add and edit form settings. When you create a data object using the create method, attributes that are not within the scope of definition are directly discarded to avoid illegal data submission.

The insertFields and updateFields attributes are set using strings (multiple fields are separated by commas) or arrays, for example:

Class UserModel extends Model {protected $ insertFields = array ('account', 'Password', 'nickname', 'email '); protected $ updateFields = array ('nickname ', 'email ');}

The field set should be the actual data table field, not affected by field ing.

When we call the create method, the insertFields and updateFields attributes are automatically identified based on the submission type:

D ('user')-> create ();

When using the create method to create a data object, when adding user data, fields other than 'account', 'Password', 'nickname', and 'email 'are blocked, during editing, fields other than 'nickname' and 'email 'are blocked.

The following is a string definition method, which is also valid:

Class UserModel extends Model {protected $ insertFields = 'account, password, nickname, email '; protected $ updateFields = 'nickname, email ';}

Ii. method call

If you do not want to define the insertFields and updateFields attributes, or you want to call them dynamically, you can call the field method directly before calling the create method. For example, the Implementation works the same way as the preceding example:

When adding user data, use:

$ User = M ('user'); $ User-> field ('account, password, nickname, email ')-> create (); $ User-> add ();

When updating user data, use:

$ User = M ('user'); $ User-> field ('Nick name, email ')-> create (); $ User-> where ($ map) -> save ();

The field here is also the actual data table field. The field method can also use the array method.

After the field validity check is used, you no longer need to worry about injecting invalid field data when submitting the form. Obviously, the second method is more flexible. Select as needed!