1

I have examined Zend Framework: Zend_Validate_Db_RecordExists and Zend_Validate_Db_NoRecordExists, and observed that you can check columns in a database table to see if the value in your form appears in a named column.

I have also observed that you can exclude a row based on the value of another column in the same row.

Is it possible to validate that a password matches a username using these validators?

So far, in my form, if a user inputs a correct username and a correct password (but not neccessarily the password for this username!) the form validates the input. Obviously for a login form or a username/token activation form, the token or password must match the username in the same row!

Thanks.

$this->addElement('text', 'handle', array( 

    'label' => 'Username:', 

    'required' => true, 

    'filters' => array('StringTrim'), 

    'validators' => array(  

        array(

            'NotEmpty', true, array('messages' => 'You must enter your username.')

        ),

        array(

                'Db_RecordExists', 

                false, 

                array (

                    'member_activation',

                    'member_username'
                    )

                )

        )           

    ));

$this->addElement('text', 'validationCode', array( 

    'label' => 'Code:', 

    'required' => true, 

    'filters' => array('StringTrim'), 

    'validators' => array(  

        array(

            'NotEmpty', true, array('messages' => 'You must enter your validation code.')

        ),

        array(

                'Db_RecordExists', 

                false, 

                array (

                    'member_activation',

                    'member_validationcode'
                    )

                )

        )           

    ));
8bitjunkie
  • 12,793
  • 9
  • 57
  • 70
  • Is it a login form? If so, why not use Zend_Auth and Zend_Auth_Adapter_DbTable, which were designed for this purpose. – Tim Fountain Oct 21 '11 at 20:09
  • 1
    Hi Tim. What I'm going for is actually a form to validate a token against a username to activate an account. I create the token when the user creates an account and email it to them. They return to this form to enter their username and activation code in order to enable their account. Rather than have no validation on the token field, fire the form over to the Controller and fail the validation with a decorator message prefixed to the form, I was trying to use a validator on the token field so I could give an error message pertient to the field. Thanks – 8bitjunkie Oct 21 '11 at 20:13
  • 1
    It may be more efficient just to fetch the user record and then manually validate the token and if it doesn't match, add an error to the form. Using Db_RecordExists might get inefficient unless you index the token column which doesn't seem necessary, otherwise you could probably make a custom validator for it. – drew010 Oct 21 '11 at 20:47
  • 1
    @Tim: I've just had a look at Zend_Auth and Zend_Auth_Adapter_DBTable. I don't think these are appropriate for validating an activation code against a username as the code would be stored in the Zend_Auth session object as the Credential rather than the Password. I think I'm thinking along the right lines in persuing a validator with a where clause so I can test for the presence of two form fields in a single row in a database - although I re-iterate the reason I'm going down this road is because I want to be able to set the error message on the token field when the form reloads. – 8bitjunkie Oct 21 '11 at 20:48
  • @drew I think this may be the neccessary approach. Are you aware if it is possible to fail the form validation and return the message to be displayed on the token field's decorator? I originally set out looking for a form validator as I didn't want to have to set a form-level error message if I could help it. – 8bitjunkie Oct 21 '11 at 20:53
  • 1
    Yes, you can add the error directly to the element, [here](http://framework.zend.com/manual/en/zend.form.elements.html#zend.form.elements.validators.errors) are the methods you can use. Example would be: `$form->getElement('token')->addError('The token provided is invalid.');` – drew010 Oct 21 '11 at 21:12

2 Answers2

2

Could you shoehorn authentication into Zend_Validate? Absolutely?

Should you? Hell no.

If you do, you're commingling concerns. The Zend_Validate_Db_RecordExists stuff is actually kind of border-line, but it's convenient.

But once you go down the road you're considering, almost everything becomes validation, when it really isn't. You could find yourself shoehorning all sorts of things, like ACL checks, etc.

Validation should be concerned, almost always, with the format of things. Adding dependencies on data-persistence, and ACL system, or anything else, is just going to increase cohesion. That will make it harder to test, debug, or change your code.

Use Zend_Validate for validation stuff. Make sure strings aren't too long. Make sure these ints are >= 0. Make sure that a US phone number has ten digits.

But if you need to do deeper checks, that dig into your persistence layer, and are all about your business logic, you're better off doing that somewhere far away from simple form validation.

timdev
  • 61,857
  • 6
  • 82
  • 92
0

If you stick validation in your Zend_Form you are making it dependant on your underlying Framework which (from a Domain Driven Design point of view) is not a good thing since you are coupling part of your domain logic to an external resource of your application.

PeeHaa
  • 71,436
  • 58
  • 190
  • 262
jere
  • 4,306
  • 2
  • 27
  • 38