Does Apache Thrift validate parameters?

I'm considering using Apache Thrift for a PHP server that implements web services.

If my web service were to be defined to accept two parameters - a user name as a string, and a password as an integer - would thrift validate that para开发者_Go百科meters of those types were supplied by the client, or do I still need to perform validation on the server?

I'm not asking here for the purposes of sanitising input, but rather for returning meaningful error responses to clients, and whether if a service is invoked with incorrect parameters requests will even be made to the server.

To my understanding, the check - if any - is performed at "library level", where the local types are translated into Thrift types, where the code generation happens. In other words, it will depend on the bindings for the specific language you are using (PHP, Erlang, whatever), to raise meaningful - or not - errors if types are not respected. But I have to look into it a bit more.

It basically depends on what kind of validation we are talking.

If the parameters need to be set, you could make them "required". In that case, the fields are checked in most language implementations (not in all) during deserialization and an error is thrown whenever a reuirwed Parameter is missing. However, required comes at the cost of potential problems with versioning: you can't omit a required field once the API has been published, or it will break compatibility otherwise.

The presence of normal ("optional") values can typically be checked by means of the _isset flags, which exist for exactly this purpose. This is something that your own code is responsible for - Thrift does provide the messaging mechanisms, but of course not the interpretation of your data.

If validation in your case means, that the data Format (string and number) should be checked: Because the code for both Client and Server is generated from the Thrift IDL file, the implementation will use the correct field serialization and deserialization method according to the IDL file:

Service sample
{
  bool Login( 1: string Name, 2: i32 pwd)
}

If you Need to Change for whatever reason the Password from i32 into string, technically this results in two changes:

1. remove the Password field with the ID 2, except if the field is "required"
2. add a new field with the new ID 3

so it looks this way:

Service sample
{
  bool Login( 1: string Name, /*2: i32 _deprecated_pwd*/, 3: string pwd)
}

As field type and field purpose are bound to the numeric field ID, it is highly recommended to use another field ID in such a case, which is so far unused within this scope. It is also recommended to leabve the old fields in the IDL to indicate outdated IDs.

A good reference about this "soft versioning" stuff and the pros and cons of "required" fields can be found in Diwaker Gupta's "Missing Guide".