Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request validation with an ::exists() rule passes validation with wrong value #54183

Closed
liviublidar opened this issue Jan 14, 2025 · 4 comments
Closed

Request validation with an ::exists() rule passes validation with wrong value #54183

liviublidar opened this issue Jan 14, 2025 · 4 comments

Comments

@liviublidar
Copy link

liviublidar commented Jan 14, 2025
edited
Loading

Laravel Version

11.23

PHP Version

8.2.26

Database Driver & Version

MySQL 8.0.31 on MacOS arm

Description

Request validation with an ::exists() rule passes validation with a value that does not exist in the table.
Let's assume the table users has a foreign_id field it is possible to have the below validation rules and send a request containing '123aabbcc' in the foreign_id value and the validation will pass as long as foreign_table has a row with an id of 123.


 class UpdateUserRequest extends FormRequest
 {
     public function rules(): array
     {
       return [
           'foreign_id' => [
               'required',
                Rule::exists(ForeignTable::class, 'id'),
            ],
        ];
    }
}

Steps To Reproduce

  1. create a validaiton rule containging ::exists()
  2. insert just one row in the table that gets checked in the ::exists(), with an id of 1
  3. make a postman request where the ::exists checks for a value of '1aabbcc'.
@shaedrich
Copy link
Contributor

Is the input value parsed as int somewhere? Because numeric strings with leading digits ignore the following alphabetic characters: https://www.php.net/manual/en/language.types.numeric-strings.php#language.types.numeric-string.conversion

@crynobone
Copy link
Member

Hey there, thanks for reporting this issue.

We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here?

Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up.

laravel new bug-report --github="--public"

Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue.

Thanks!

@adwiv
Copy link

adwiv commented Jan 20, 2025

This is not a laravel issue, but a database issue.

Try running Select * from foreign_table where id='1aabbcc'

You will find that it returns a row with id=1 and a warning is generated #1292 Truncated incorrect DECIMAL value.

Similarly, running SELECT 1 = '1aabbcc' will return 1 instead of 0 with similar warning.

The issue is automatic type conversion during comparison by the server (Mysql Documentation). Here is two relevant snippets from the documentation:

In all other cases, the arguments are compared as floating-point (double-precision) numbers. For example, a comparison of string and numeric operands takes place as a comparison of floating-point numbers.

... there are many different strings that may convert to the value 1, such as '1', ' 1', or '1a'.

@crynobone
Copy link
Member

Thanks @adwiv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@crynobone @liviublidar @adwiv @shaedrich