Re: [fw-general] Reply to mailing list

2008-03-08 Thread Isaak Malik 

There's a good chance you're not making through the spam filter. I
haven't had a chance to log in and clean it up for a couple of weeks,
but I'll get to it today or over the weekend. If you're there, I'll
whitelist your email so it won't happen again.

,Wil


Thank you, I'm surprised that the mailing list received this E-mail.
--
Isaak Malik
Web Developer

Re: [fw-general] Zend_Form - should data validation occur on filtered value?

2008-03-08 Thread Matthew Weier O'Phinney 
-- Laurent Melmoux <[EMAIL PROTECTED]> wrote
(on Saturday, 08 March 2008, 12:16 PM +0100):
> I’ve read the discussion and I really agree with Matthew first answer 
> (more below ) :

Some more information here:

ZFI and Zend_Form do pre-filtering in order to ensure that you can
perform validations. For example, spurious spaces at the beginning or
end of input should not be counted against the string length; when
validating a phone number, there's no need to validate anything other
than the digits (this prevents the need for complex regexen to check for
all potential phone number formats); content that should not contain
HTML may still be valid... so long as you strip the tags first.

Escaping is another operation entirely. ZFI does escaping, but ZFI's
primary use case is with models -- pulling in data and then escaping it
for your model. Zend_Form does escaping already... when rendering.

I can see the value of a postfilter for when you associate a Zend_Form
with a model. Right now, this is possible in a couple of ways:

* Load a new set of filters into your elements after validation, and
  then pull your values.
* Create a filter chain in your model (using Zend_Filter), and pass
  the data through that. This is probably the better place to do so,
  as you then know that the filtering is specific to your model.

I'll consider a postfilter post-1.5.0 GA release when I start looking at
associating forms with models.


> Matthew Weier O'Phinney-3 wrote:
>> Validation merely makes sure that the submitted data passes certain
>> rules. Filtering is for output -- to a database, to the screen,
>> whatever. You validate unfiltered data, and then filter it for your
>> output stream.
>>
>> Another use for filtering is normalization -- taking input and modifying
>> it to fit a 'normal' specification. An example of this is taking a phone
>> number -- (800) 555-1212 -- and normalizing it for your database --
>> 8885551212. You will often take a normalized value and filter it again
>> for display -- 800.555.1212.
>>
>> Let's look at this:
>>
>> If I have a filter, StripTags, and then a validator, NoTags, and run the
>> data through the filter prior to validating what's the point of the
>> validation then? you've already ensured that it will pass no matter
>> what.. but now when you return the data to the user, it looks unfamiliar
>> to them.
>>
>> Better is to check for tags in the first place, and let the user know
>> they aren't allowed... or, allow them, but strip them out prior to
>> storing or displaying the information (to prevent XSS attacks, for
>> example).
>
> Then Matthew changed it to pre-filter base on what I've been done in ZFI
>
>> For those who are interested:
>>
>> The idea is to allow some normalization of data prior to sending it to
>> validation. The example given me was one of a username:
>>
>> * Allow only 3-16 characters
>>
>> and you get ' mweierophinneyzend ' as input... it would fail
>> validation, but likely shouldn't have. If the input were run through
>> StringTrim first, it would pass.
>>
>> Basically, such normalization ensures that the data is *ready* for
>> validation. 
>
> It looks to me that only StringTrim fit the use case of pre-filtering data. 
> And I’m style convinced that post filtering is a better approaches. :)
>
>
> --
> Laurent Melmoux
> Annecy, France
>
> Amr Mostafa a écrit :
>> Hi Laurent,
>>
>> While I don't have the answer to your question specifically, I know that 
>> Zend_Form used to validate before filtering like you are suggesting. But 
>> that was modified per this discussion:
>>
>> http://www.nabble.com/Zend_Form_Element-validation-bug-tt15589810s16154.html
>>
>> As a side note, I've done something very similar to the use case you 
>> describe, and didn't run into this problem. The only difference I had was 
>> that the filter converts the given date to a Zend_Date instance. Which 
>> then runs through Zend_Validate_Date and it's has been working fine. Think 
>> I got lucky there and I've even noticed it :)
>>
>> Back to the discussion linked above, in one post I can tell that Matthew 
>> acknowledged the important of a pre/postFilter.
>>
>> Best Regards,
>> - Amr
>>
>> On Sat, Mar 8, 2008 at 11:26 AM, Laurent Melmoux <[EMAIL PROTECTED] 
>> > wrote:
>>
>> Hi Matthew and every body,
>>
>> First a use case:
>>
>> On an i18n application the user can chose is preferred date format for
>> display and input.
>> Let's say 'dd/MM/'.
>> I n the backend I will need a validator to validate the date
>> format and
>> a filter to convert the date to a Mysql format '-MM-dd'.
>>
>> But here the validation against 'dd/MM/' won't work because
>> the date
>> will be filtered before validation. Well, an easy work around will
>> be to
>> validate against the '-MM-dd' format but it sound not very
>> clean and
>> I could not use an error message saying the right f

Re: [fw-general] Is there a way to set options on a tag surrounding a label?

2008-03-08 Thread Matthew Weier O'Phinney 
-- Amr Mostafa <[EMAIL PROTECTED]> wrote
(on Saturday, 08 March 2008, 01:03 PM +0200):
> Pardon my rush there, I need to stop assuming that everyone lives on the
> subversion trunk :)
> Ok so here we go: This is going to work with the current trunk only or with 
> the
> next 1.5 release candidate :)

And it's also committed to the 1.5 release branch. :-)


> On Sat, Mar 8, 2008 at 1:01 PM, Amr Mostafa <[EMAIL PROTECTED]> wrote:
> 
> You could do that using the ViewScript decorator with the new content
> wrapping feature Matthew added few hours ago! :)
> 
> Here is your new setElementDecorators():
> 
> $form->setElementDecorators(array(
> array('ViewHelper'),
> array('ViewScript', array('viewScript' => 'element.phtml',
> 'placement' => false)),
> ));
> 
> Then in your element.phtml:
> 
>  require_once 'Zend/Form/Decorator/Label.php';
> $label = new Zend_Form_Decorator_Label();
> $label->setElement($this->element);
> ?>
> 
> 
> render('') ?>
> 
> 
> content ?>
> 
> 
> 
> One small note about the Label decorator, we could actually write the
>  tag ourselves like: element->getLabel() ?>
> But that's not good enough, what if the element doesn't have 'id' set?
> Label decorator is smart to fall back to the element name if id is not 
> set,
> and it has a bunch of other extras, like adding the optional/required
> classes, ...etc.
> 
> Best Regards,
> - Amr
> 
> 
> On Sat, Mar 8, 2008 at 4:55 AM, Karl Katzke <[EMAIL PROTECTED]> wrote:
> 
> I'm using Zend_Form to build a form, and I'd like to align all of the
> labels to the right inside their table cells. I can do this with 
> either
> CSS or the align="right" attribute of the table cell, but I would need
> to be able to set attributes on the tag... which by my read, currently
> isn't possible.
> 
> Sample decorator:
> 
>  46 $this->setElementDecorators(array(
>  47 'ViewHelper',
>  48 'Errors',
>  49 array('decorator'=>array('td'=>
> 'HtmlTag'),'options'=>array('tag'=>'td')),
>  50 array('Label',array('tag'=>'td')),
>  51 array('decorator'=>array('tr'=>
> 'HtmlTag'),'options'=>array('tag'=>'tr')),
>  52 ));
> 
> In Zend_Form_Decorator_Label, we're already using
> Zend_Form_Decorator_HtmlTag to render the tag option of the label.
> Could we add a tagoptions field to that Label decorator and pass the
> array of options through to the Zend_Form_Decorator_HtmlTag?
> 
> I'm a bit of a newb to Zend Framework, and this is deep enough inside
> the framework to make my head spin a bit, but it looks like a fairly
> simple addition. I'm just not sure how to execute it without breaking
> things further! I realize that everyone's in a rush to get the last 
> few
> changes in before the freeze, but I'd appreciate a hand with this if
> anyone has the time.
> 
> Thanks,
> Karl Katzke
> 
> 
> 
> 

-- 
Matthew Weier O'Phinney
PHP Developer| [EMAIL PROTECTED]
Zend - The PHP Company   | http://www.zend.com/

Re: [fw-general] Zend_Filter_Input 'presence'=>'required'

2008-03-08 Thread thurting 

Try 'missingMessage' if you are still having problems.


thurting wrote:
> 
> Hi Brian,
> 
> You can change the relative message by setting it as an option of your
> Zend_Filter_Input instance.  This can be done during instantiation or
> through the setOptions() method.  You can not set different messages for
> different filters/validators - only one message format per instance.  You
> may want to use Zend_Validate_NotEmpty if you need more flexibility. 
> There is sample code in the docs, but I will post it here to save you the
> trouble.
> 
> 
>  $options = array(
> 'notEmptyMessage' => "A non-empty value is required for field
> '%field%'"
> );
> 
> $input = new Zend_Filter_Input($filters, $validators, $data, $options);
> 
> // alternative method:
> 
> $input = new Zend_Filter_Input($filters, $validators, $data);
> $input->setOptions($options);
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Zend_Filter_Input-%27presence%27%3D%3E%27required%27-tp15865637s16154p15912885.html
Sent from the Zend Framework mailing list archive at Nabble.com.

Re: [fw-general] Zend_Layout with nested layout?

2008-03-08 Thread SiCo007 

I have just done something similiar, as I primarily thought this is what
Zend_Layout would do, basically I have the layout include a common header
and footer.

I know this is going back to the dark ages a little but it seemed like the
simplest fashion, and if you don't want a layout to use the standard header
and footer you simply delete the include from the layout.

I store everything in skins/layoutname and store the common header and
footer in skins/

skins
-- admin
-- default
-- header.php
-- footer.php

So each actual layout is a design in a skin, and the layout path is the
skin. For instance the default would be skins/admin/layout.php But if you
wanted a compact admin skin, you'd change the layout Zend_Layout would look
for to compact thus giving skins/admin/compact.php

Therefore the header/footer system seems to work well:
render('../header.php'); ?>

I don't know if this is perfect and it probably has lots of downsides but it
works for me, I'm interested to hear others takes on 'skinning' with
Zend_Layout. I realise people might be dubious of having designers add the
render call, but they have to add the calls to display content so!

Simon



Jeffrey Sambells-2 wrote:
> 
> Hi All,
> 
> I'm just playing with Zend_Layout and have a quick question. What I'd  
> like to do is have a three part view. I'd like my designer to design a  
> wrapper "template" that consists of the markup surrounding the output  
> of action views. This is exactly what Zend_Layout does so perfect! but  
> if possible I'd like the designer templates to exclude the doctype,  
> head and  and  tag stuff and stick strictly to what comes  
> after .  That way designers don't need to worry about the non- 
> design stuff.
> 


-
Simon Corless

http://www.ajb007.co.uk/
-- 
View this message in context: 
http://www.nabble.com/Zend_Layout-with-nested-layout--tp15878224s16154p15912865.html
Sent from the Zend Framework mailing list archive at Nabble.com.

Re: [fw-general] Zend_Layout with nested layout?

2008-03-08 Thread Christian Ehmig 



> 
> I'm just playing with Zend_Layout and have a quick question. What I'd  
> like to do is have a three part view. I'd like my designer to design a  
> wrapper "template" that consists of the markup surrounding the output  
> of action views. This is exactly what Zend_Layout does so perfect! but  
> if possible I'd like the designer templates to exclude the doctype,  
> head and  and  tag stuff and stick strictly to what comes  
> after .  That way designers don't need to worry about the non-
> design stuff.
> 
> doc.phtml:
> 
>   PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
>  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
> 
> 
>  
>  headTitle() ?>
>  headScript() ?>
>  headStyle() ?>
> 
> 
> layout()->content ?>
> 
> 
> 
> which includes the following designer layout.phtml in "content":
> 
> 
> 
> layout()->nav ?>
> 
> layout()->content ?>
> 
> 
> which includes the action.phtml template in "content". 
> 


You could probably create a view helper like this:

class My_View_Helper_NestedLayout
{   
  
public function nestedLayout($layoutName)
{
try { 
$layout = Zend_Layout::getMvcInstance();

echo $layout->render($layoutName);
}
} catch (Zend_Exception $e) {
$this->view->layout($layoutName);
}
}   

public function setView(Zend_View_Interface $view)
{
$this->view = $view;
}
}

add the helper path (see
http://framework.zend.com/manual/en/zend.view.helpers.html#zend.view.helpers.custom)

Usage in your main layout (doc.phtml):

...
nestedLayout('content/layout') ?>   
...

this would render the layout file 'content/layout.phtml' (relative to your
layout path) at the position where like to render the content.


Please correct me if this might fail in any case!
-- 
View this message in context: 
http://www.nabble.com/Zend_Layout-with-nested-layout--tp15878224s16154p15912857.html
Sent from the Zend Framework mailing list archive at Nabble.com.

Re: [fw-general] Zend_Form - should data validation occur on filtered value?

2008-03-08 Thread Laurent Melmoux 
I’ve read the discussion and I really agree with Matthew first answer 
(more below ) :



Matthew Weier O'Phinney-3 wrote:

Validation merely makes sure that the submitted data passes certain
rules. Filtering is for output -- to a database, to the screen,
whatever. You validate unfiltered data, and then filter it for your
output stream.

Another use for filtering is normalization -- taking input and modifying
it to fit a 'normal' specification. An example of this is taking a phone
number -- (800) 555-1212 -- and normalizing it for your database --
8885551212. You will often take a normalized value and filter it again
for display -- 800.555.1212.

Let's look at this:

If I have a filter, StripTags, and then a validator, NoTags, and run the
data through the filter prior to validating what's the point of the
validation then? you've already ensured that it will pass no matter
what.. but now when you return the data to the user, it looks unfamiliar
to them.

Better is to check for tags in the first place, and let the user know
they aren't allowed... or, allow them, but strip them out prior to
storing or displaying the information (to prevent XSS attacks, for
example).


Then Matthew changed it to pre-filter base on what I've been done in ZFI


For those who are interested:

The idea is to allow some normalization of data prior to sending it to
validation. The example given me was one of a username:

* Allow only 3-16 characters

and you get ' mweierophinneyzend ' as input... it would fail
validation, but likely shouldn't have. If the input were run through
StringTrim first, it would pass.

Basically, such normalization ensures that the data is *ready* for
validation. 


It looks to me that only StringTrim fit the use case of pre-filtering 
data. And I’m style convinced that post filtering is a better approaches. :)



--
Laurent Melmoux
Annecy, France

Amr Mostafa a écrit :

Hi Laurent,

While I don't have the answer to your question specifically, I know 
that Zend_Form used to validate before filtering like you are 
suggesting. But that was modified per this discussion:


http://www.nabble.com/Zend_Form_Element-validation-bug-tt15589810s16154.html

As a side note, I've done something very similar to the use case you 
describe, and didn't run into this problem. The only difference I had 
was that the filter converts the given date to a Zend_Date instance. 
Which then runs through Zend_Validate_Date and it's has been working 
fine. Think I got lucky there and I've even noticed it :)


Back to the discussion linked above, in one post I can tell that 
Matthew acknowledged the important of a pre/postFilter.


Best Regards,
- Amr

On Sat, Mar 8, 2008 at 11:26 AM, Laurent Melmoux <[EMAIL PROTECTED] 
> wrote:


Hi Matthew and every body,

First a use case:

On an i18n application the user can chose is preferred date format for
display and input.
Let's say 'dd/MM/'.
I n the backend I will need a validator to validate the date
format and
a filter to convert the date to a Mysql format '-MM-dd'.

But here the validation against 'dd/MM/' won't work because
the date
will be filtered before validation. Well, an easy work around will
be to
validate against the '-MM-dd' format but it sound not very
clean and
I could not use an error message saying the right format to use.

So I'm wondering if data should be filtered prior to validation. Is
there some security concern?
While I see some advantage to filter data, like removing white space,
before it is validated. It looks better to me to run it after the
validation and let know the user that is input is wrong. Then filter
data for formatting and security.

Best Regards,

--
Laurent Melmoux
Annecy, France

Re: [fw-general] Is there a way to set options on a tag surrounding a label?

2008-03-08 Thread Amr Mostafa 
Pardon my rush there, I need to stop assuming that everyone lives on the
subversion trunk :)
Ok so here we go: This is going to work with the current trunk only or with
the next 1.5 release candidate :)

Cheers,
- Amr

On Sat, Mar 8, 2008 at 1:01 PM, Amr Mostafa <[EMAIL PROTECTED]> wrote:

> You could do that using the ViewScript decorator with the new content
> wrapping feature Matthew added few hours ago! :)
>
> Here is your new setElementDecorators():
>
> $form->setElementDecorators(array(
> array('ViewHelper'),
> array('ViewScript', array('viewScript' => 'element.phtml',
> 'placement' => false)),
> ));
>
> Then in your element.phtml:
>
>  require_once 'Zend/Form/Decorator/Label.php';
> $label = new Zend_Form_Decorator_Label();
> $label->setElement($this->element);
> ?>
> 
> 
> render('') ?>
> 
> 
> content ?>
> 
> 
>
> One small note about the Label decorator, we could actually write the
>  tag ourselves like: element->getLabel() ?>
> But that's not good enough, what if the element doesn't have 'id' set?
> Label decorator is smart to fall back to the element name if id is not set,
> and it has a bunch of other extras, like adding the optional/required
> classes, ...etc.
>
> Best Regards,
> - Amr
>
>
> On Sat, Mar 8, 2008 at 4:55 AM, Karl Katzke <[EMAIL PROTECTED]> wrote:
>
> > I'm using Zend_Form to build a form, and I'd like to align all of the
> > labels to the right inside their table cells. I can do this with either CSS
> > or the align="right" attribute of the table cell, but I would need to be
> > able to set attributes on the tag... which by my read, currently isn't
> > possible.
> >
> > Sample decorator:
> >
> >  46 $this->setElementDecorators(array(
> >  47 'ViewHelper',
> >  48 'Errors',
> >  49
> > array('decorator'=>array('td'=>'HtmlTag'),'options'=>array('tag'=>'td')),
> >  50 array('Label',array('tag'=>'td')),
> >  51
> > array('decorator'=>array('tr'=>'HtmlTag'),'options'=>array('tag'=>'tr')),
> >  52 ));
> >
> > In Zend_Form_Decorator_Label, we're already using
> > Zend_Form_Decorator_HtmlTag to render the tag option of the label. Could we
> > add a tagoptions field to that Label decorator and pass the array of options
> > through to the Zend_Form_Decorator_HtmlTag?
> >
> > I'm a bit of a newb to Zend Framework, and this is deep enough inside
> > the framework to make my head spin a bit, but it looks like a fairly simple
> > addition. I'm just not sure how to execute it without breaking things
> > further! I realize that everyone's in a rush to get the last few changes in
> > before the freeze, but I'd appreciate a hand with this if anyone has the
> > time.
> >
> > Thanks,
> > Karl Katzke
> >
>
>

Re: [fw-general] Is there a way to set options on a tag surrounding a label?

2008-03-08 Thread Amr Mostafa 
You could do that using the ViewScript decorator with the new content
wrapping feature Matthew added few hours ago! :)

Here is your new setElementDecorators():

$form->setElementDecorators(array(
array('ViewHelper'),
array('ViewScript', array('viewScript' => 'element.phtml',
'placement' => false)),
));

Then in your element.phtml:

setElement($this->element);
?>


render('') ?>


content ?>



One small note about the Label decorator, we could actually write the
 tag ourselves like: element->getLabel() ?>
But that's not good enough, what if the element doesn't have 'id' set? Label
decorator is smart to fall back to the element name if id is not set, and it
has a bunch of other extras, like adding the optional/required classes,
...etc.

Best Regards,
- Amr

On Sat, Mar 8, 2008 at 4:55 AM, Karl Katzke <[EMAIL PROTECTED]> wrote:

> I'm using Zend_Form to build a form, and I'd like to align all of the
> labels to the right inside their table cells. I can do this with either CSS
> or the align="right" attribute of the table cell, but I would need to be
> able to set attributes on the tag... which by my read, currently isn't
> possible.
>
> Sample decorator:
>
>  46 $this->setElementDecorators(array(
>  47 'ViewHelper',
>  48 'Errors',
>  49
> array('decorator'=>array('td'=>'HtmlTag'),'options'=>array('tag'=>'td')),
>  50 array('Label',array('tag'=>'td')),
>  51
> array('decorator'=>array('tr'=>'HtmlTag'),'options'=>array('tag'=>'tr')),
>  52 ));
>
> In Zend_Form_Decorator_Label, we're already using
> Zend_Form_Decorator_HtmlTag to render the tag option of the label. Could we
> add a tagoptions field to that Label decorator and pass the array of options
> through to the Zend_Form_Decorator_HtmlTag?
>
> I'm a bit of a newb to Zend Framework, and this is deep enough inside the
> framework to make my head spin a bit, but it looks like a fairly simple
> addition. I'm just not sure how to execute it without breaking things
> further! I realize that everyone's in a rush to get the last few changes in
> before the freeze, but I'd appreciate a hand with this if anyone has the
> time.
>
> Thanks,
> Karl Katzke
>

Re: [fw-general] Zend_Form - should data validation occur on filtered value?

2008-03-08 Thread Laurent Melmoux 

Thanks Amr,

I should have search the list :)

--
Laurent Melmoux
Annecy, France


Amr Mostafa a écrit :

Hi Laurent,

While I don't have the answer to your question specifically, I know 
that Zend_Form used to  validate before filtering like you are 
suggesting. But that was modified per this discussion:


http://www.nabble.com/Zend_Form_Element-validation-bug-tt15589810s16154.html

As a side note, I've done something very similar to the use case you 
describe, and didn't run into this problem. The only difference I had 
was that the filter converts the given date to a Zend_Date instance. 
Which then runs through Zend_Validate_Date and it's has been working 
fine. Think I got lucky there and I've even noticed it :)


Back to the discussion linked above, in one post I can tell that 
Matthew acknowledged the important of a pre/postFilter.


Best Regards,
- Amr

On Sat, Mar 8, 2008 at 11:26 AM, Laurent Melmoux <[EMAIL PROTECTED] 
> wrote:


Hi Matthew and every body,

First a use case:

On an i18n application the user can chose is preferred date format for
display and input.
Let's say 'dd/MM/'.
I n the backend I will need a validator to validate the date
format and
a filter to convert the date to a Mysql format '-MM-dd'.

But here the validation against 'dd/MM/' won't work because
the date
will be filtered before validation. Well, an easy work around will
be to
validate against the '-MM-dd' format but it sound not very
clean and
I could not use an error message saying the right format to use.

So I'm wondering if data should be filtered prior to validation. Is
there some security concern?
While I see some advantage to filter data, like removing white space,
before it is validated. It looks better to me to run it after the
validation and let know the user that is input is wrong. Then filter
data for formatting and security.

Best Regards,

--
Laurent Melmoux
Annecy, France

Re: [fw-general] Zend_Form - should data validation occur on filtered value?

2008-03-08 Thread Amr Mostafa 
Hi Laurent,

While I don't have the answer to your question specifically, I know that
Zend_Form used to  validate before filtering like you are suggesting. But
that was modified per this discussion:

http://www.nabble.com/Zend_Form_Element-validation-bug-tt15589810s16154.html

As a side note, I've done something very similar to the use case you
describe, and didn't run into this problem. The only difference I had was
that the filter converts the given date to a Zend_Date instance. Which then
runs through Zend_Validate_Date and it's has been working fine. Think I got
lucky there and I've even noticed it :)

Back to the discussion linked above, in one post I can tell that Matthew
acknowledged the important of a pre/postFilter.

Best Regards,
- Amr

On Sat, Mar 8, 2008 at 11:26 AM, Laurent Melmoux <[EMAIL PROTECTED]> wrote:

> Hi Matthew and every body,
>
> First a use case:
>
> On an i18n application the user can chose is preferred date format for
> display and input.
> Let's say 'dd/MM/'.
> I n the backend I will need a validator to validate the date format and
> a filter to convert the date to a Mysql format '-MM-dd'.
>
> But here the validation against 'dd/MM/' won't work because the date
> will be filtered before validation. Well, an easy work around will be to
> validate against the '-MM-dd' format but it sound not very clean and
> I could not use an error message saying the right format to use.
>
> So I'm wondering if data should be filtered prior to validation. Is
> there some security concern?
> While I see some advantage to filter data, like removing white space,
> before it is validated. It looks better to me to run it after the
> validation and let know the user that is input is wrong. Then filter
> data for formatting and security.
>
> Best Regards,
>
> --
> Laurent Melmoux
> Annecy, France
>
>
>

[fw-general] Zend_Form - should data validation occur on filtered value?

2008-03-08 Thread Laurent Melmoux 

Hi Matthew and every body,

First a use case:

On an i18n application the user can chose is preferred date format for 
display and input.

Let’s say 'dd/MM/'.
I n the backend I will need a validator to validate the date format and 
a filter to convert the date to a Mysql format '-MM-dd'.


But here the validation against 'dd/MM/' won’t work because the date 
will be filtered before validation. Well, an easy work around will be to 
validate against the '-MM-dd' format but it sound not very clean and 
I could not use an error message saying the right format to use.


So I’m wondering if data should be filtered prior to validation. Is 
there some security concern?
While I see some advantage to filter data, like removing white space, 
before it is validated. It looks better to me to run it after the 
validation and let know the user that is input is wrong. Then filter 
data for formatting and security.


Best Regards,

--
Laurent Melmoux
Annecy, France