1

I am building a custom user registration/login/ bla bla bla library for code igniter.

I am looking for some hints as to what direction to take for the library.

I.E obviously as well as the general library file you are going to need some other functions that call the library.

Where should validation logic go?

Scenario

we make a request to http://example.com/user/register/joe@mail.com/joesPassword

Now at some stage the register function in the user controller needs to call the register function in the user library.

Do I build the validation (already exists, password required, email valid, password meets minimum criteria etc) into the controller or the library.

My initial instinct is to build the validation into the controller and leave the library functions to do only one thing. I.e the register function in the user library would simply sha1() the password and insert the username/password into the database.

Am I going along the right track here, or should the library do all the work and the controller simply act to receive and pass on the request?

Hailwood
  • 89,623
  • 107
  • 270
  • 423
  • [this discussion](http://stackoverflow.com/questions/5651175/mvc-question-should-i-put-form-validation-code-in-the-controller-or-model/5651431#5651431) may be helpful a little – Nemoden Apr 14 '11 at 04:53
  • Having a password in the URL looks very odd. (Though of course not every application has needlessly high security requirements.) -- But why do you need a custom authentication thingy? Doesn't CodeIgniter already have a few of them? (And btw, why do so many libraries need to be custom-built for CI - is it really that aversive to ordinary PHP components?) – mario Apr 14 '11 at 04:55
  • @mario, admittedly I would not actually pass the parameters through the url, it is simply an example to show the passed parameters, I would actually be using post :) – Hailwood Apr 14 '11 at 06:28

1 Answers1

1

I assume you're doing this for your own benefit, i.e. for purely self-educational purposes. If not, you are probably reinventing the wheel - I can hardly imagine that codeigniter doesn't have a fully fledged registration solution yet. Nonetheless, if you really want to build a library handling user registration, please consider the followings:

  • Don't pass registration form parameters as part of the URL. http://example.com/user/register/joe@mail.com/joesPassword is clearly a bad example and a huge security hole. Use "post" method for your form to pass variables to your controller.
  • Use client side validation, preferably with an out-of-the-box javascript solution built on jquery, mootools, yui, etc - whatever is your js library preference. Using client side validation saves time and frustration for your future users. Check for username availability, password strength, email address validity (via regexp), password matching for the confirm password field. Client side validation belongs to the "view" part of your library.
  • Use a hashed site secret as hidden input in your form.
  • Use an accessible captcha for your form.
  • Make your forms sticky, based on session. If your user fills in the form, navigates away before completing the registration, and comes back to the form, he/she should be presented with the previously filled values.
  • Enable 3rd party registration. Users should be able to register to your site via their 3rd party accounts - enable openID and facebook connect as a bare minimum on your registration form
  • Use server side validation, check for all field contents validity, escape all user inputs. Server side validation belongs to either the controller or the model part of your library, I'd prefer to put it into the model.
  • Create configurable workflow. If you're trying to create a flexible library, you'll have to accommodate various needs for the registration workflow. Some of your library users will want to have manual account review before enabling a user on their site. Others will want to auto-enable users once they confirmed their request via email.
  • Do not hardcode what fields are part of the registration form. As a rule of thumb, the less is more when it comes to registration, so you'll want to have the bare minimum set of fields when registering users (otherwise they'll just say, "haha you're asking for my mother's maiden name? no thank you"). However, you're building a library, so let your library users decide what fields will be included on the registration form
  • As an addendum to the previous point, create a flexible API for defining registration form fields, types and validation rules.

I'm sure there are a lot more guidlines, I haven't mentioned custom views for mobile devices and probably a lot more. But the above should give you a start towards the right direction.

And as for this part of your question: "Am I going along the right track here, or should the library do all the work and the controller simply act to receive and pass on the request?" - this is a matter of preference IMO, but I'd use the controller as doing general tasks, i.e parsing form values and escaping them, and pass those preprocessed values to the model where the actual (semantic) validation takes place.

András Szepesházi
  • 6,483
  • 5
  • 45
  • 59
  • Ah these are some excellent points. As my comment above I would never actually send the details through the url, it was simply a case of I didn't want to write any code as I didn't want people focussing on that :) – Hailwood Apr 14 '11 at 06:33
  • Client side validation would be implemented however not relied upon, I am not sure that the client side validation would be part of the library though? – Hailwood Apr 14 '11 at 06:34
  • `Make your forms sticky` would this be a case of storing the form ID and field data in a session, when it comes back to the form check the id and fill it out? – Hailwood Apr 14 '11 at 06:35
  • `Flexible API for fields` Hmm, any hint's on doing this? – Hailwood Apr 14 '11 at 06:36
  • Yes, client side validation belongs to the registration library. It is a matter of convenience, not a matter of security, but it's still a must in modern day registration forms. For making your forms sticky, it is exactly what you gathered, store the already filled form values in session variables. One of the main benefits, if the user doesn't pass server side validation for some reason, he/she will not have to start the whole registration all over again. – András Szepesházi Apr 14 '11 at 06:38
  • "Flexible API for fields Hmm, any hint's on doing this?" this is rather tricky as if you want to do a really good job, you will automatically generate both client and server side validation rules for certain field types. A good client side validation library is jquery Validate. A good server side validation library is the FormValidator available at https://github.com/bekos/php-validation You'll have to figure out how to create a unified API that will invoke both the client and the server side rules. – András Szepesházi Apr 14 '11 at 06:42