docs: use validateData() instead of validate() in Validation

[kenjis]

Description

• validate() is not recommended

Checklist:

• Securely signed commits
• [] Component(s) with PHPDoc blocks, only if necessary or adds value
• [] Unit testing, with >80% coverage
• User guide updated
• Conforms to style guide

[lonnieezell]

Can you remind me what the differences are between validate() and validateData() here and why we should use the newer one?

Edit: I was able to steal a moment and look at the code. Seems fine, though there's nothing inherently wrong with validate() that I can see either, and it's slightly more usable.

[michalsn]

The problem with the validate() method is that we have no control over where the data comes from, this issue is related to getVar(), see: https://codeigniter.com/user_guide/incoming/incomingrequest.html#getting-data

The getVar() method will pull from $_REQUEST, so will return any data from $_GET, $POST, or $_COOKIE (depending on php.ini request-order).

So the data from the POST can be replaced by the data from the COOKIE. This issue is no longer so bad since the day the getValidated() method was introduced, which will return the exact values that have been validated.

For developers who do not use getValidated() method to retrieve input data after validation, it may be a security issue which allows to bypass the validation.

With validateData() It is the developer's responsibility to determine where the validation data should come from.

[lonnieezell]

Ah, that makes more sense to me now. Thanks!