My check() method is not working

makopa · November 8, 2017, 12:46pm

I use check() method to filter the character inputs in my form fields. to check if only string is inputted in the name text field.
i already include the check package using meteor add check in command prompt. and also use import { check } from 'meteor/check'; to my Meteor method file. but still its not working. client can still input any character to the text field and received by the database

here is the codes:

body.js

Template.addPlayerForm.events({
		'submit form': function(event){
			event.preventDefault();
			var playerNameVar = event.target.playerName.value;
			var playerScore = event.target.setScore.value;
			if(playerNameVar!=""){
				Meteor.call('createPlayer', playerNameVar, playerScore);
				event.target.playerName.value = "";
				event.target.setScore.value = "";
			}
		}
	});

players.js

import {Monggo} from 'meteor/mongo';
import { check } from 'meteor/check';
export const PlayersList = new Mongo.Collection('players');

Meteor.methods({
	'createPlayer': function(playerNameVar,playerScore){
		check(playerNameVar, String);
		var currentUserId = Meteor.userId();
		if(currentUserId){
			check(playerNameVar, String);
			PlayersList.insert({
				name: playerNameVar,
				score: playerScore ? playerScore : 0,
				createdBy: currentUserId
			});
		}
	}
});

Thanks in advance

robfallows · November 8, 2017, 12:50pm

HTML input data is always treated as a string. Even if you enter 1234, that’s actually stored as '1234'.

BTW, you have a typo here: import {Monggo} from 'meteor/mongo'; - but that’s nothing to do with your issue.

makopa · November 8, 2017, 12:55pm

i see sir! thank you for finding the problem and the typo. what is th best solution here? what i have in mind is to use Number() method for checking the Numbers… but for strings. i have no idea

robfallows · November 8, 2017, 1:03pm

You should consider check as a tool to close an attack vector, rather than as a tool to validate input data (although it can be used for that). So, first use check to validate that the player name is a string (if it’s not a string, it may mean someone is trying to attack your server code).

If it is a string, then validate the content accordingly. For example, if it’s from a numeric field on the form, then first ensure only numeric characters are present, then use parseInt or the + hack to convert the string to number. Then ensure the number is in the expected range.

makopa · November 8, 2017, 1:06pm

thank you very much for the enlightenment! I will apply that to my work. I’ll comment again after i resolve the issue