Antony Dovgal wrote:
On 15.11.2005 15:06, Roman Ivanov wrote:
This particular extension treats each input variable individually,
which is not desirable in majority of scripts I worked with. Such
approach adds unnecessary complexity to the script, and requires to
handle each invalid variable separately as well. But the real problem
is that there are many ways of filtering input, and I do not think any
of them fits all the situations.
Ahha.
So what exactly do you propose?
For example, I have 3 different variables: an email, an integer and a
string.
How do you think I should filter them ?
Sorry, do not have time to simplify. This is how I do it:
function filterRequest($prototype, $action){
loadPrototype($prototype);
$vars = get_class_vars($prototype);
if ($vars['vigilant'] == FALSE) {
return $_REQUEST;
}
$filter = getFilter($prototype, $action);
if ($filter == NULL) {
return NULL;
}
if ($filter == TRUE) {
return $_REQUEST;
}
$cleanedVars = array();
foreach ($filter as $fieldName => $rule) {
if ($rule === TRUE) {
$cleanedVars[$fieldName] = @$_REQUEST[$fieldName];
continue;
}// else {
$positiveMatch = TRUE;
if (preg_match('/n\w*$/', $rule)) { //check whether regExp
has n modifier
$positiveMatch = FALSE;
$rule = preg_replace('/n(\w*)$/', '$1', $rule);
//remove modifier so PHP won't complain
}
if (preg_match($rule, @$_REQUEST[$fieldName]) &&
$positiveMatch) {
$cleanedVars[$fieldName] = @$_REQUEST[$fieldName];
} else {
user_error("Request filtered out because of
'$fieldName' field", E_USER_WARNING);
return NULL;
}
//}
}
return $cleanedVars;
}
>> "Part of the standard API, which is included with PHP and compiles by
>> default", if you will.
>
>
> So, basically you're objecting against enabling it by default?
> Why? I really do not see a reason to not include it by default, if it
> helps to write more secure code.
> (remember that "enabled by default" means you can disable it in a
moment).
Well, I think that everything in core distribution is a suggested
standard. But a language should not, in my opinion, suggest any
particular structure for the program, unless it's absolutely
necessary. It's not a major issue, but still...
Sorry, I refuse to understand that.
The language HAS to recommend a way to do something and to allow user to
choose any other way if the recommended one doesn't fit his/her needs.
Perl: There is more than one way to do it.
Java: There is more than one way to do it, as long as you're doing it
our way.
C: Use assembly.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
