ThinkPHP version 3.1 adds field legality detection for form submission, which can better protect data security. This feature is an important part of the 3.1 security feature.
Form field legality detection requires the creation method to be used to create a data object. There are two specific methods:
1. Attribute definition
The insertFields and updateFields properties can be configured for the model to add and edit form settings. When using the create method to create a data object, attributes that are not within the definition scope will be discarded directly to avoid illegal data submitted in the form.
The insertFields and updateFields properties are set using strings (comma splitting multiple fields) or arrays, for example:
class UserModel extends Model{
protected $insertFields = array('account','password','nickname','email');
protected $updateFields = array('nickname','email');
}
The fields set should be the actual data table fields, and are not affected by the field mapping.
When using it, when we call the create method, the insertFields and updateFields properties will be automatically identified according to the commit type:
D('User')->create();
When creating a data object using the create method, when adding new user data, fields other than 'account','password','nickname','email' will be blocked, and fields other than 'nickname','email' will be blocked when editing.
The following is the method of using string definition, which is also effective:
class UserModel extends Model{
protected $insertFields = 'account,password,nickname,email';
protected $updateFields = 'nickname,email';
}
2. Method call
If you do not want to define insertFields and updateFields properties, or if you want to call it dynamically, you can call the field method directly before calling the create method. For example, the implementation of the same function as the above example:
When adding user data, use:
$User = M('User');
$User->field('account,password,nickname,email')->create();
$User->add();
When updating user data, use:
$User = M('User');
$User->field('nickname,email')->create();
$User->where($map)->save();
The fields here are also actual data table fields. The field method can also be used in array mode.
After using field legality detection, you no longer need to worry about users injecting illegal field data when submitting the form. Obviously the second method is more flexible, choose according to your needs!