Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
RE: Do I need to use sanitize?
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, Dave Maharaj m...@davemaharaj.com wrote:
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit
Re: Do I need to use sanitize?
I would be careful about using h() instead of htmlspecialchars() it
seems the core guys keep deprecating convenience functions such as a()
On Sep 30, 1:14 pm, euromark dereurom...@googlemail.com wrote:
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, Dave Maharaj m...@davemaharaj.com wrote:
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others
Re: Do I need to use sanitize?
this one will never be deprecated! :)
mainly because of the auto-setting of app encoding
other conv. functions simply did the same as the original function
therefore it was nonsense to use them in the first place
On 30 Sep., 19:46, j.blotus j.blo...@gmail.com wrote:
I would be careful about using h() instead of htmlspecialchars() it
seems the core guys keep deprecating convenience functions such as a()
On Sep 30, 1:14 pm, euromark dereurom...@googlemail.com wrote:
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, Dave Maharaj m...@davemaharaj.com wrote:
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto
pointed
out, you do not need to. But I would like to my 2 cents and even though
you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make
it
a pain in their ass to try to enter it and make it validate. The only
reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own
made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know
what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them
use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk
code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until
next
save).
So I guess every app has its own unique issues for this question, maybe
you
do not need to like you asked in the question but for me I think even
though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelpothers
with their CakePHP related questions.
You received this message
Re: Do I need to use sanitize?
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
