2

I'm building a DDD app in C# and I have some doubts about where I should sanitize user input.

I already learned that business rules should be validated in domain layer and ID identities should be generated at repository layer.

Should I put this user input sanitizer on the application layer?

(The app it's a ASP.NET MVC with DDD architecture model).

help-info.de
  • 6,695
  • 16
  • 39
  • 41
imnotaduck
  • 177
  • 1
  • 12
  • http://stackoverflow.com/questions/5818898/where-to-put-global-rules-validation-in-ddd?rq=1 ? – Leszek P Feb 16 '17 at 17:29
  • I saw that link before but, to tell u the truth, isn't the domain layer just for business rules? sanitize the user input that should be considered as a business rule? thank u. – imnotaduck Feb 16 '17 at 17:35

1 Answers1

3

http://verraes.net/2015/02/form-command-model-validation/

A Command is a message that represents the intention of the user. Command validation happens after the form is submitted and before the Command is passed to the model. The question to answer here is “Does this look like a valid Foo Command?” It guarantees that the “birthday” field contains an actual date, or that “zipcode” looks like a zipcode. It doesn’t guarantee set constraints, like username uniqueness. In other words, you validate the message, not whether you should execute the message.

The Command object should use Value Objects. They guarantee their own consistency, so the Command delegates validation to them. Note that we’re not trying to inform the user of validation errors. We simply throw exceptions. The assumption here is that either the form prevents malformed values, or the user is trying to bypass form validation. We don’t return friendly error messages to attackers.

A typical flow might be that you get user input (which is just data), and then use a factory or a builder to create the value objects that the model will recognize.

Community
  • 1
  • 1
VoiceOfUnreason
  • 52,766
  • 5
  • 49
  • 91