简体繁体 English

PHP和DB交互中的验证层

[英]Validation layer in PHP and DB interaction

原文 2015-08-01 06:52:06 4 2 php/ validation/ model-view-controller/ domain-driven-design/ solid-principles

In input of my application I have the following data: airplane_id , airport_id and passenger(s) details. 在我的应用程序的输入，我有以下数据：airplane_id，airport_id和乘客（一个或多个）的细节。

I need to make sure that selected airplane_id could reach airport_id . 我需要确保所选airplane_id可能达到airport_id。 It might be done only with help a SQL query, but this checking is still a validation process, isn't it? 可能只有在SQL查询的帮助下才能完成，但是此检查仍是一个验证过程，不是吗？

Validation should happen before I will save passenger(s) details. 在保存乘客详细信息之前，应先进行验证。

In my application model, it is the ActiveRecord pattern object which represent a table. 在我的应用程序模型中，代表表的是ActiveRecord模式对象。 I would rather make Validator as a separated layer than to build it into the Model layer. 我宁愿将Validator作为单独的层，也不愿将其构建到Model层。 But in this case I have an extra issue: usually Validators are general (their rules might be applied to any set of data). 但是在这种情况下，我还有一个问题：验证器通常是通用的（它们的规则可能适用于任何数据集）。 For instance is this data email? 例如，这是数据电子邮件吗？ or IP? 还是IP？ or date? 或日期？ etc.... but never mind what the data is. 等等...但是不要介意数据是什么。 In my case, the mentioned rule won't be common at all; 就我而言，上述规则根本就不常见。 it will definitely be a specific rule, which can't be used by any other input data. 这绝对是一个特定的规则，任何其他输入数据都无法使用。 So my question is: Is this checking still part of the validation process? 所以我的问题是：这种检查是否仍然是验证过程的一部分？ And if yes, will Validator violate the S principle from the set of SOLID ? 如果是，验证器是否会违反SOLID集中的S原理？

2 个解决方案

It is validation and you should use a separate validation layer (single responsibility for input validation). 这是验证，您应该使用单独的验证层（输入验证的单一责任）。 Input validation isn't just data type checking, it can be much more complex. 输入验证不仅是数据类型检查，还可能要复杂得多。 Model validation might still be needed though. 不过，仍然可能需要模型验证。

Think of input validation as whitelist validation (“accept known good”) and model validation as blacklist validation (“reject known bad”). 将输入验证视为白名单验证（“可接受的公认的良好”），将模型验证视为黑名单验证（“拒绝已知的不良”）。 Whitelist validation is more secure while blacklist validation prevents your model layer from being overly constrained to very specific use cases. 白名单验证更安全，而黑名单验证可防止您的模型层过于受限于非常特定的用例。

Invalid model data should always cause an exception to be thrown (otherwise the application can continue running without noticing the mistake) while invalid input values coming from external sources are not unexpected, but rather common (unless you got users that never make mistakes). 无效的模型数据应始终导致引发异常（否则应用程序可以继续运行而不会注意到错误），而来自外部源的无效输入值不是意外的，而是常见的（除非您让用户从未犯过错误）。

Yes, these checks are validation. 是的，这些检查是验证。

Speaking from experience with a MVC pattern framework(Yii/2), I would say that you could make an abstract validator class and from there extend it into your concrete validators and call those validators from the model class. 从MVC模式框架（Yii / 2）的经验来看，我可以说您可以创建一个抽象验证器类，然后将其扩展到您的具体验证器中，并从模型类中调用这些验证器。 This will need a Model->validate() call, but having separate classes that actually check the data will not violate the S in SOLID , while Model->validate() will just loop through the validatos validate methods and store the error messages in an array. 这将需要一个Model->validate()调用，但是拥有单独的类来实际检查数据不会违反SOLID的S ，而Model->validate()只会循环遍历validateatos validate方法并将错误消息存储在数组。