Validate an incoming SOAP request to the WSDL in PHP

StackOverflow https://stackoverflow.com/questions/106401

  •  01-07-2019
  •  | 
  •  

Question

The built-in PHP extension for SOAP doesn't validate everything in the incoming SOAP request against the XML Schema in the WSDL. It does check for the existence of basic entities, but when you have something complicated like simpleType restrictions the extension pretty much ignores their existence.

What is the best way to validate the SOAP request against XML Schema contained in the WSDL?

Was it helpful?

Solution

Been digging around on this matter a view hours. Neither the native PHP SoapServer nore the NuSOAP Library does any Validation. PHP SoapServer simply makes a type cast. For Example if you define

<xsd:element name="SomeParameter" type="xsd:boolean" />

and submit 

<get:SomeParameter>dfgdfg</get:SomeParameter>

you'll get the php Type boolean (true)

NuSOAP simply casts everthing to string although it recognizes simple types:

from the nuSOAP debug log:

nusoap_xmlschema: processing typed element SomeParameter of type http://www.w3.org/2001/XMLSchema:boolean

So the best way is joelhardi solution to validate yourself or use some xml Parser like XERCES

OTHER TIPS

Besides the native PHP5 SOAP libs, I can also tell you that neither the PEAR nor Zend SOAP libs will do schema validation of messages at present. (I don't know of any PHP SOAP implementation that does, unfortunately.)

What I would do is load the XML message into a DOMDocument object and use DOMDocument's methods to validate against the schema.

Typically one doesn't validate against the WSDL. If the WSDL is designed properly there should be an underlying xml schema (XSD) to validate the body of the request against. Your XML parser should be able to do this.

The rest is up to how you implement the web service and which SOAP engine you are using. I am not directly familiar with the PHP engine. For WSDL/interface level "validation" I usually do something like this:

  1. Does the body of the request match a known request type and is it valid (by XSD)?
  2. Does the message make sense in this context and can i map it to an operation/handler?
  3. If so, start processing it
  4. Otherwise: error

I was not able to find any simple way to perform the validation and in the end had validation code in the business logic.

Some time ago I've create a proof of concept web service with PHP using NuSOAP. I don't know if it validates the input, but I would assume it does.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top