Re: [fw-general] Zend_Filter_Input...
Matthew Ratzloff wrote: > Well, my point was that because any of those can be manipulated > (POST, GET, COOKIE, etc.), selecting from a specific source can > lead to a false sense of added security. The idea that ignorance promotes security is fundamentally flawed. Pádraic clearly understands the risks associated with this perspective. In addition, this approach works against the HTTP spec, eroding the important distinction between GET and POST requests. Chris
Re: [fw-general] YAZFA
Simon Jones wrote: > Very nice site redesign Chris Thanks! :-) > Have you written any articles on your use of Zend Framework? Not yet, but that's a good idea. In order for such an article to focus on the positive aspects of ZF, I think I should wait until it has matured a bit. Chris -- Chris Shiflett http://shiflett.org/
[fw-general] YAZFA
Yet another ZF application. :-) I'm sure there are dozens of big web sites using ZF now, but I wanted to mention a new one that's near to my heart: http://shiflett.org/ There's still a lot of custom code, but it's built entirely on ZF. Zend_Feed is used for reading and aggregating blogs: http://shiflett.org/planet I've been using ZF more than digging in to see how things can be improved lately, so I might be speaking from ignorance, but one thing that would be really useful for Zend_Feed is a normalization of data found in the various feed formats - date, content, and URLs for each item, for example. I have some unpolished code for this, but someone more intimate with the various formats should vet it first. Chris
Re: [fw-general] Page Expired
Jean-Marc Fontaine wrote: > This article will probably help you : > > http://www.php-mag.net/magphpde/magphpde_article/psecom,id,637,nodeid,21.html Thanks. :-) I was going to suggest that myself. There is a slightly-updated a easier-to-read version here: http://shiflett.org/articles/how-to-avoid-page-has-expired-warnings Chris
Re: [fw-general] Using $_GET and $_POST as Zend_Filter_Input
Hi Stuardo, > I'm using $_GET and $_POST as Zend_Filter_inputs like this: > > $_POST = new Zend_Filter_Input($_POST); > $_GET = new Zend_Filter_Input($_GET); I know there are planned changes to this component, and although I haven't had time to familiarize myself with the new direction, I think I can address this from a theoretical standpoint. Whether as a developer or a manager, you want to encourage good habits. One such habit is always treating sources of input such as $_GET and $_POST with suspicion. If your filtering approach somehow makes $_GET and $_POST safe, in the sense that they only contain filtered data, you erode this suspicion. Developers begin to assume data within $_GET and $_POST has been filtered instead of assuming it has not. I can make up hypothetical situations to strengthen the point, but hopefully it's clear that fragile approaches tend to yield more security vulnerabilities than robust ones. That doesn't mean this approach is bad or completely without merit, but I do think it incurs a greater risk. Chris
Re: [fw-general] Zend_Filter :alpha
Hi Thomas, > public function getAlpha($name, $locale = false) { >$characters = 'a-z'; >if ($locale ! = = false) { >$characters = Zend_Locale_Data::getContent($locale, 'characters'); >} >preg_match($characters, '/[' . $characters . ']/', $result); >return $result; > } I like your idea, especially leaving locale-dependent details to Zend_Locale. I have a couple of questions related to this: 1. What are your thoughts about passing $locale to the constructor instead of each individual method? 2. Is there a clever solution that would let people allow multiple locales? For example, even if I don't need to allow all possible alphabetic characters, I might want to all possible English, French, Spanish, and German alphabetic characters. I haven't looked at Zend_Locale, so my apologies if this is a redundant question. Thanks for your time. Chris
Re: [fw-general] lighthttpd + zend framework
Laurent Melmoux wrote: > Does any body knows wich rewrite rule should I write in > lighthttpd to use with Zend_Framework? Peter Pistorius gives one for lighttp here: http://shiflett.org/archive/208 url.rewrite-once = (".*\.(js|gif|jpg|png|css)$" => "$0", "" => "/index.php") Chris
Re: [fw-general] Zend_Filter::isEmail() status
Gavin Vess wrote: > Moving discussion to fw-formats list. > > Chris, any news for us? I'll email Cal again, but I'm not having any luck getting a response. I won't see him in person until the first of December, so that doesn't really help. It wouldn't be hard to simply do the RFC 822 BNF -> regex pattern ourselves, but I think we'd come up with an identical solution (variable names and all). Chris
Re: [fw-general] ZF Shirts
Richard Thomas wrote: > The logo says "Powered by Zend Framework" what more do you need "I Power the Zend Framework." Chris
Re: [fw-general] links to download the framewokr are gone!
Stuardo Rodríguez wrote: > the 2 buttons to download the ZF (tar and zip) are gone, I > cann't see them in the website... anyone knows something > about this? It looks like some interface changes are being made. For now, at least the download URLs still work: http://framework.zend.com/download/tgz http://framework.zend.com/download/zip Chris
Re: [fw-general] Zend_Filter_Input
Matthew Ratzloff wrote: > I think all functions should begin with a verb, but "isSet" > seems more natural than "isKey" in this situation, since the > array is a product of how PHP handles POST data, not inherent > in the HTML itself. You make a good argument. :-) The isSet() name seems good. > If I can continue to be pedantic for a moment, "noTags" and > "noPath" aren't good function names either. They should be > "removeTags" and "removePath" or something similar. The original intent wasn't to begin strictly with a verb, although I can see some value in that. Rather, prefixes were chosen to be: 1. Unique - With fewer prefixes and clearer organization, utility can be easily remembered. By forcing ourselves to stick to very few prefixes, it also guides us toward consistency. 2. Descriptive - In addition to being easy to remember, prefixes are hopefully intuitive in the first place. 3. Short - The shorter, the better. This gave us "is" (whitelist), "no" (blacklist), and "get" (blind). Because methods/functions that begin with "is" traditionally return strictly boolean (not just something that can be used as a boolean, such as the return value of mysql_query()), "test" was added to describe the unique utility within Zend_Filter_Input, where only valid values are released from the cage. So, "test" is essentially the same as "is" with one added feature. Anyway, you can blame me for the current convention. If others would also prefer changing "no" to a verb, maybe that's something we should consider. I personally like it as it is. Chris
Re: [fw-general] Zend_Filter_Input
Craig Slusher wrote: > I use Zend_Filter_Input to process my $_POST data. If I want to > find out if a certain button was clicked, what is the best way > to check? > > if ($post->getRaw('btnSave') !== false) { ... } > > Is this the correct way to check for button clicks? I think you're asking how to tell if a key exists. If so, there is a method called keyExists() that will perform this check for you. On a related note, I wish this method were named something like isKey() to better conform to the existing naming convention. I've been hesitant to enter this as a bug, but perhaps others agree. (I think the strict naming convention is one of the benefits of using ZF for this stuff.) Chris
Re: [fw-general] Filter_Input::testEmail() and Filter::isEmail()
Gavin Vess wrote: > http://www.nabble.com/forum/ViewPost.jtp?post=5512516&framed=y&skin=16154 > > Still looking for a community volunteer to help contact the 3 authors > above, and review their popular implementations. I'll contact Cal. Assuming he agrees to sign the CLA, that should mean that any of us can review and compare his implementation, right? Chris
Re: [fw-general] Zend_Filter testBetween()
Jeff Busby wrote: > Not sure if I'm missing something here but is this method complete? In addition to what else has been said, I can add that I did not implement a strlen() equivalent method, because I feel like that is too lenient as a criteria for pulling input from the "cage." I haven't kept up very well lately, but if we want to provide a more sophisticated solution (not as a substitute for the simple solution) that allows people to chain filters, a strlen() equivalent would make sense. (This solution might already exist, since I think Christopher had something like this planned.) Chris
Re: [fw-general] Filter_Input::testEmail() and Filter::isEmail()
Lars Strojny wrote: > I know, there is a multipage-solution for regular expression for email > addresses but wouldn't it fit to use something like /^[0-9a-z > [EMAIL PROTECTED]/ until we have the real solution? And: > Input_Filter::testName() should also allow umlauts and accents, should I > open a ticket? For the record, I never implemented isEmail(), because I think we should ask Cal Henderson if he'd mind signing the CLA: http://iamcal.com/publish/articles/php/parsing_email/ Chris