I wonder and worry a bit about the following situation:
I have a form with a few inputfields, lets say one of them is named test.
Within the handler, I validate this field for being a string:
'test' => 'string',
And we all know the process: If the validator fails, you should abort etc etc.
And now comes the issue: If a hacker change the name of the input field to an array with the Dev Tools and you submit the handler, the following message appears:
"Array to string conversion" on line 336 of [...]\vendor\twig\twig\src\Template.php
<input id="test" type="text" name="test[]">
Usually, I avoid this with the following code:
$test = trim(((array) Input::get('test'))[0] ?? '');
But somehow I cannot believe this is the best approach. I mean: If I validate for a string, I dont want arrays to be passed, especially since there’s an array validation rule.
Did I missread this validation rule?
I think it would be much saver if this “string” validation rules assures a string is passed and not an array and throws a proper validation message if not.
Any tip or plan on a better and more save solution are welcome.