Do we need to validate checkboxes?

June 6, 2007

checkbox_abs.pngIt’s common knowledge to never trust any user input and to validate everything. But is this also true for checkboxes? Shouldn’t Propel handle this properly?

Well, it depends on whether you want to have just zeros and ones in your database field or don’t care – because Propel will write every numeric value in the database and not just zeros and ones.


To check this, i used a small example to test if Propel really does save every value of the checkbox in the database:
I created a test module which had a template with a really simple form and just a checkbox:


<?php echo form_tag('boolean/index') ?>
  <?php echo checkbox_tag('value'); ?>
  <?php echo submit_tag('submit'); ?>

To save the value in the database (Note: The field was specified as a “boolean” in the schema.yml) , a simple action was required:

$checkbox = new Valuetest();

With this, the application saved the value of the checkbox (ideally zero or one) in the “boolean” database field (which Propel translates to unsigned integer(11)).

This is where the real test began. What would’ve happend if the user transformed the checkbox field into a input field? (check out the Webdeveloper firefox extension, it’s really useful for this kind of tests)

Since the database field was of the integer type it wouldn’t save values like “abc” and instead just saved a zero.
But it turned out that Propel would’ve saved every other numeric value that will fit in the unsigned integer(11) field (This is a range from -2147483648 to 2147483647).

Here are a few examples which i entered in the datasbase and what Propel returned on a $foobar->getValue():

The value 0 returned false
The value -9123 returned true
The value 1 returned true
The value 9123 returned true


Your application will not be in danger if you don’t validate a checkbox field, since Propel will only return true or false for a field that is specified as boolean in the schema.yml.
But your database can be messy and have all kind of numeric values saved in it.

If you’re like me and just want to have zeroes or ones in your boolean database field, the best thing is to validate the checkbox field using a simple custom validator like this simple sfCheckboxValidator i wrote.

Please state your opinion on this topic in the comments, thanks!


4 Responses to “Do we need to validate checkboxes?”

  1. Alexander Says:


    how to use the sfCheckboxValidator in a *.yml-file?

    Thanks for info (via email also please)


  2. Hello Arthur,

    thanks for your validator, I really appreciate it. I did a little change to handle multiple checkboxes:

    public function execute (&$value, &$error)
    foreach($value as $checkboxValue){
    if ($checkboxValue != ‘0’ && $checkboxValue != ‘1’){
    $error = $this->getParameterHolder()->get(‘checkbox_error’);
    return false;
    } else if ($value != ‘0’ && $value != ‘1’){
    $error = $this->getParameterHolder()->get(‘checkbox_error’);
    return false;

    return true;

    Have a nice day!


  3. […] and Radiobuttons in Symfony Posted in Symfony by Arthur on April 2nd, 2008 Months ago I wrote about the validation of checkboxes in Symfony and how it could fill your database with wrong […]

  4. Kiran Says:

    how to write validation for select statement in symfony

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: