The SuperGlobals class replaces all superglobals ($_GET, $_POST, and
$_COOKIE I think) with a filtered version containing data that should be
"safe" for use in HTML. Anything handed to the database is "filtered" in
that it's passed through a bound parameter in PDO, preventing SQL injection.
FormValidators only apply to things in FormUI that manually have some sort
of validation applied to them. In general I would consider these more of
front-end validation rules - they should guide users to input semi-relevant
things, not necessarily 100% guarantee that you'll get back what you expect.
I could be wrong, but I think a conservative approach is best - still treat
things input by users as not necessarily perfect, even if they're "safe".
Table names should be supplied as {table_name}, and they get translated in
the DB class to the prefix__tablename format in every query. No field names,
etc. are translated - you shouldn't be accepting things like that from user
input anyway.
On Sat, Apr 18, 2009 at 5:33 PM, Florian Thiel <[email protected]>wrote:
>
> Hello again,
>
> just so I don't get it wrong: You're using Superglobals to clear user
> input but there is basically no further validation, right? For output
> to HTML, there is htmlspecialchars, sometimes in the handlers,
> sometimes in the templates, for the db there is PDO. Is that correct?
> And is that it, for filtering/validation? FormValidators is not used
> outside plugins, right?
>
> Do things that can't use PDO (like table names, LIMITS, etc.) get
> validated somewhere? I didn't see this...
>
> thanks,
> florian
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at http://groups.google.com/group/habari-dev
-~----------~----~----~----~------~----~------~--~---
