Re: [fw-general] Zend_Filter_Input and EscapeFilter
Try getUnescapedValue() to get the unescaped value. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:27 AM Subject: [fw-general] Zend_Filter_Input and EscapeFilter Hello. I use Zend_Filter_Input and don't want to use escapeFilter. But Zend_Filter_Input requires it. How can I make it optional? -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291137.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and EscapeFilter
I think you mean the getUnescaped() method :-) Thomas Weidner wrote: Try getUnescapedValue() to get the unescaped value. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:27 AM Subject: [fw-general] Zend_Filter_Input and EscapeFilter Hello. I use Zend_Filter_Input and don't want to use escapeFilter. But Zend_Filter_Input requires it. How can I make it optional? -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291137.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and EscapeFilter
I know this method, but I can't use it. I don't want use escaper. Can I it? thomasW wrote: Try getUnescapedValue() to get the unescaped value. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:27 AM Subject: [fw-general] Zend_Filter_Input and EscapeFilter Hello. I use Zend_Filter_Input and don't want to use escapeFilter. But Zend_Filter_Input requires it. How can I make it optional? -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291137.html Sent from the Zend Framework mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291333.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and EscapeFilter
I don't understand... You don't want to have escaped values, but you also don't want to have unescaped values ? Do you want to have any value ??? What do you precisly want ? Maybe it would be more clear when you give an example. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:40 AM Subject: Re: [fw-general] Zend_Filter_Input and EscapeFilter I know this method, but I can't use it. I don't want use escaper. Can I it? thomasW wrote: Try getUnescapedValue() to get the unescaped value. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:27 AM Subject: [fw-general] Zend_Filter_Input and EscapeFilter Hello. I use Zend_Filter_Input and don't want to use escapeFilter. But Zend_Filter_Input requires it. How can I make it optional? -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291137.html Sent from the Zend Framework mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291333.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and EscapeFilter
It's not important for me, escaped or unescaped values I will use. I think I can don't use escaper, becouse it's not need for me. I wanna disable escaper. thomasW wrote: I don't understand... You don't want to have escaped values, but you also don't want to have unescaped values ? Do you want to have any value ??? What do you precisly want ? Maybe it would be more clear when you give an example. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:40 AM Subject: Re: [fw-general] Zend_Filter_Input and EscapeFilter I know this method, but I can't use it. I don't want use escaper. Can I it? thomasW wrote: Try getUnescapedValue() to get the unescaped value. Greetings Thomas Weidner, I18N Team Leader, Zend Framework http://www.thomasweidner.com - Original Message - From: Serkys sergeym...@gmail.com To: fw-general@lists.zend.com Sent: Friday, September 04, 2009 11:27 AM Subject: [fw-general] Zend_Filter_Input and EscapeFilter Hello. I use Zend_Filter_Input and don't want to use escapeFilter. But Zend_Filter_Input requires it. How can I make it optional? -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291137.html Sent from the Zend Framework mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291333.html Sent from the Zend Framework mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25291644.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and EscapeFilter
The default behavior of zend_input_filter is escaping the data, it's not
possible to disable this behavior in a way of setEscape( false ) or
something like that.
As Thomas and I told you, the easiest way of getting unescaped data is
to call the getUnescaped( $key ) method.
There is an other way of 'disabling' the default escape behavior.
You could create a custom class My_Filter_DoNothing, which implements
the Zend_Filter_Interface and set that filter as the default escape
filter (see the setDefaultEscapeFilter() method ).
The filter( $value ) method of this class returns the $value directly,
without modifications.
The data will still be 'filtered' when you call $input-{key} or
$input-getEscaped( $key ), but the used filter does nothing
Justin
Serkys wrote:
It's not important for me, escaped or unescaped values I will use.
I think I can don't use escaper, becouse it's not need for me. I wanna
disable escaper.
Re: [fw-general] Zend_Filter_Input and EscapeFilter
Justin Verweel wrote:
There is an other way of 'disabling' the default escape behavior.
You could create a custom class My_Filter_DoNothing, which implements
the Zend_Filter_Interface and set that filter as the default escape
filter (see the setDefaultEscapeFilter() method ).
The filter( $value ) method of this class returns the $value directly,
without modifications.
The data will still be 'filtered' when you call $input-{key} or
$input-getEscaped( $key ), but the used filter does nothing
I think it's crutch, but isn't good way.
Thank you.
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input-and-EscapeFilter-tp25291137p25293241.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input problem in Zend Framework 1.9
-- nickt66 nick...@yahoo.com wrote
(on Thursday, 06 August 2009, 12:52 PM -0700):
I've run into a problem with Zend_FIlter_Input and the ZF1.9 release. I have
various controller actions that start by doing something like this:
$input = new Zend_Filter_Input(array('lesson' = 'digits'), array('lesson'
= 'int'), $this-getRequest()-getUserParams());
and then go on to use retrieved params like this: $input-lesson
This code has worked fine on various versions of the Framework up until 1.9.
Now, on 1.9 running on Production (PHP 5.2.1) $input-lesson is NULL.
If I dump out $input, the debug output is identical under 1.8 and 1.9. (see
below for output). And in either case I can see the correct value for
lesson. But when I retrieve it, as above, I get NULL.
Even more curiously, the code continues to work fine with 1.9 on my
development machine (OS X 10.4.11, PHP 5.2.4).
Please note that ZF versions = 1.7.0 have a minimum required PHP
version of 5.2.4. While a lot of functionality works fine with earlier
versions of PHP, we cannot guarantee it will work correctly unless you
are using at least version 5.2.4. If your production server is running
PHP 5.2.1, you will either need to:
* upgrade your PHP version to a 5.2.4 or greater
* use a version of ZF 1.7.0
Obviously it is a show stopper for me as none of my controller actions can
retrieve URL params any more! I'm a newbie, so this kind of system specific
problem has me scratching my head.
--
Matthew Weier O'Phinney
Project Lead| matt...@zend.com
Zend Framework | http://framework.zend.com/
Re: [fw-general] Zend_Filter_Input: problem with presence required and null values
I created an issue in the issue tracker on June 26th, and there have
been multiple emails on the mailing list about this BC break.
http://framework.zend.com/issues/browse/ZF-7135
Unfortunately, it appears that nobody thinks it's significant enough to fix.
On Mon, Jul 20, 2009 at 10:45 AM, Jonas Fischerjonas.fisc...@gmail.com wrote:
Hi,
$validators = array(
'requiredFieldName' = array('presence' = 'required', 'allowEmpty' = true)
)
Before Zend Framework Version 1.8.2 this validator definition worked
fine for me but in later versions it does not work with null values.
Prior to r15646 the presence of a value was checked using
array_key_exists() but now it is checked using isset().
This results in null values being recognized as not present. Is this
intended? And if so, how can I check that a field is specified (but
can be null, false, 0 etc.)?
Has anybody a solution to this problem?
Thanks in advance.
Best regards,
Jonas
--
Jordan Ryan Moore
Re: [fw-general] Zend_Filter_Input: problem with presence required and null values
On Mon, Jul 20, 2009 at 2:04 PM, Jordan Moore jordanryanmo...@gmail.comwrote: I created an issue in the issue tracker on June 26th, and there have been multiple emails on the mailing list about this BC break. http://framework.zend.com/issues/browse/ZF-7135 Unfortunately, it appears that nobody thinks it's significant enough to fix. Meaning that it isn't slated for fixing in 1.9? My, that truly sucks. -- David Mintz http://davidmintz.org/ The subtle source is clear and bright The tributary streams flow through the darkness
Re: [fw-general] Zend_Filter_Input and Arrays
Glad to help! Incidentally, I already have a few implementations of such validator decorators in the Laboratory here: http://framework.zend.com/svn/framework/laboratory/library/Zend/Validate/ See the file Array.php, which does exactly what I had mentioned. Regards, Bryce Lohr cvogt wrote: Hej Bryce, Another, perhaps simpler, approach would be to create an array-aware decorator that decorates a validator object with the ability to validate arrays. That might be the easiest way to let a scalar-only validator automatically validate each element of a given array. you are right, decorators seem to be the way to go. I implemented it this way and added it as a feature request including code to the issue tracker. http://framework.zend.com/issues/browse/ZF-4354 Best Regards Christopher
Re: [fw-general] Zend_Filter_Input and Arrays
Hej Bryce, Another, perhaps simpler, approach would be to create an array-aware decorator that decorates a validator object with the ability to validate arrays. That might be the easiest way to let a scalar-only validator automatically validate each element of a given array. you are right, decorators seem to be the way to go. I implemented it this way and added it as a feature request including code to the issue tracker. http://framework.zend.com/issues/browse/ZF-4354 Best Regards Christopher -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-Arrays-tp17131495p19619388.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and Arrays
Kevin McArthur-2 wrote: Is there a way to validate array inputs with Zend_Filter_Input? [...] This info might be in the manual, but I can't seem to locate it. Hej Kevin, if it's not in the Manual, read the code :). I also wanted to validate and filter arrays and I found that the way Zend_Filter_Input handles arrays is determined in the methods _validateRule and_filterRule. I have to mention that these investigations are based on SVN Revision 6309, 2007-09-11 20:38:27Z. In _validateRule you can find is_array($field) and in _filterRule you can find is_array($this-_data[$field]). This is the point where Zend_Filter_Input distinguishes normal values and arrays. The way Zend_Filter_Input actually handles arrays is that it applies the validation or filter to every element of the array. However it only handles 1-dimensional arrays. In case of multidimensional arrays it passes the arrays of the second dimension to the validators and filters. This can lead to some nasty bugs if you are not perfectly aware of this. For example Zend_Validate_Alpha casts the value it is supposed to validate to a string. If the value is an array it is cast to the string 'Array' which of course passes the alpha validation eventhough an array is not clearly alpha, especially if it contains numbers like array(5). I plan to extend Zend_Filter_Input in order to enable array validation and filtering. My idea is to overwrite the methods _validateRule and _filterRule in a subclass. The simplest way to allow array validation and filtering would be if the methods just wrap the value into an additional array like array( $value ) and pass it to the parent method. This way Zend_Filter_Input would always pass the real value to validators and filter, since it only recurses the first dimension. However this leaves the bug described above which makes some validators falsely accept arrays as valid. This could be countered by making the new methods _validateRule and _filterRule distinguish filters and validators, which can handle arrays from those which cannot and then react in some way in case of a problem. The distinction could for example be done by making array-aware validators and filters implement a certain interface. I haven't yet thought this through completely. I hope this helps :). Best regards Christopher -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-Arrays-tp17131495p18992326.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and Arrays
I was a little to quick with my idea of wrapping $value into an array. Apparently it is not that easy :). But still overwriting _validateRule and _filterRule is the right way to solve it in a custom solution. The permanently best thing however would be to write a patch that factors out array handling into a Strategy and propose it to the Zend Framework developers. Let's see if I find the time to do this. Christopher -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-Arrays-tp17131495p18992433.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input Checkboxes
Ok I've fixed it, the problem was actually a change to the formCheckbox view helper which used to add a hidden element for when the checkbox was unchecked. Now it's simply a checkbox so as far as ZFI is concerned it's not been 'unchecked'. To fix this I loop through the form data looking for the checkboxes and setting them to an empty string or 0. Is there a better way to do this? How else would you filter and validate a checkbox? Thanks Simon - Simon Corless http://www.ajb007.co.uk/ -- View this message in context: http://www.nabble.com/Zend_Filter_Input-Checkboxes-tp1660p16647532.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and Unicode
I'll run some tests on it tomorrow, but I think that Zend_Filter_Input pulls
from the post variables in the request object, which are processed before
the $_POST variable that you set above would be set.
Unicode issues are *tricky* to get pinned down. You also need to have the
right charset being passed in the headers from the server, the right
override in your browser, etc. so on so forth. We've had problems with a
bunch of our servers when they were going through a misconfigured squid
cache that stripped the UTF-8 headers off ... but only when you hit it with
a request for the site in the Turkish charset. All kinds of things could
cause the behaviour you're seeing. And knowing how much translation and
internationalization that is happening, I think we'd have seen this fairly
simple case show up before now.
-K
On Tue, Mar 25, 2008 at 11:53 PM, Philip G [EMAIL PROTECTED] wrote:
Well, the script I wrote was a hack job to show what I was doing.
Technically, the data is being based through _POST. Are you saying the only
way to get this to work is to Unicode the scripts on the file system? I
never herd of that requirement.
I'm trying to make a form submit function more unicode friendly. I have
the required UTF-8 accet charset in place. I have verified that 'Bertrán'
is being passed across properly. I even verified that PHP doesn't mess with
it (by printing out _POST). However, once it goes through the filter
process, it gets stripped.
Philip
On Tue, Mar 25, 2008 at 7:20 PM, Guillaume Rossolini
[EMAIL PROTECTED] wrote:
Hi,
I suppose the script is encoded as Unicode in your filesystem? Your
sample code fails if encoded as ANSI, but succeeds if encoded as UTF-8.
?php
require_once 'Zend/Filter/Input.php';
$_POST['first_nm'] = Bertrán;
$filters = array ( 'first_nm' = 'Alpha' );
$validators = array( 'first_nm' = array ('Alpha', 'presence' =
'required') );
$input = new Zend_Filter_Input($filters, $validators, $_POST);
echo $input-isValid() ? 'ok' : 'dead';
Regards,
On 3/25/08, Philip G [EMAIL PROTECTED] wrote:
I'm trying to get a form to validate with unicode characters.
For a very simple example, I have:
$_POST['first_nm'] = Bertrán;
$filters = array ( 'first_nm' = 'Alpha' );
$validators = array( 'first_nm' = array ('Alpha', 'presence' =
'required) );
$input = Zend_Filter_Input($filter, $validators, $_POST);
Now, a simple $input-isValid() call and it fails. Returns: [first_nm]
= Array ( [stringEmpty] = ' ' is an empty string )
Is there something special I need to do in order to get
Zend_Filter_Input to understand UTF-8? I've checked the data being passed
to
PHP; it is valid. I checked the code and it seems to do some utf8 check,
but
apparently it's not working for some reason.
Thanks
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
--
Guillaume Rossolini
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
Re: [fw-general] Zend_Filter_Input and Unicode
I've discovered my issue is related to the /u switch. Interestingly enough,
the moment I add /u it no longer matches anything, and returns an empty
string. I've even added A-z, a-zA-Z, and [:alpha:] to the pattern at
different times. If I remove the 'u' (unicode switch) from the pattern, I
get the ascii chars back. But if I put it in, it strips out everything:
Returning: 'Bertr'; from: 'Bertrán '; pattern; /[^\p{L}]/
Returning: '''; from: 'Bertrán ''; pattern; /[^\p{L}]/u
Maybe this will narrow down more exactly what's going on. It's really hard
Googleiing this issue.
Philip
On Wed, Mar 26, 2008 at 1:44 AM, Karl Katzke [EMAIL PROTECTED] wrote:
I'll run some tests on it tomorrow, but I think that Zend_Filter_Input
pulls from the post variables in the request object, which are processed
before the $_POST variable that you set above would be set.
Unicode issues are *tricky* to get pinned down. You also need to have the
right charset being passed in the headers from the server, the right
override in your browser, etc. so on so forth. We've had problems with a
bunch of our servers when they were going through a misconfigured squid
cache that stripped the UTF-8 headers off ... but only when you hit it with
a request for the site in the Turkish charset. All kinds of things could
cause the behaviour you're seeing. And knowing how much translation and
internationalization that is happening, I think we'd have seen this fairly
simple case show up before now.
-K
On Tue, Mar 25, 2008 at 11:53 PM, Philip G [EMAIL PROTECTED] wrote:
Well, the script I wrote was a hack job to show what I was doing.
Technically, the data is being based through _POST. Are you saying the only
way to get this to work is to Unicode the scripts on the file system? I
never herd of that requirement.
I'm trying to make a form submit function more unicode friendly. I have
the required UTF-8 accet charset in place. I have verified that 'Bertrán'
is being passed across properly. I even verified that PHP doesn't mess with
it (by printing out _POST). However, once it goes through the filter
process, it gets stripped.
Philip
On Tue, Mar 25, 2008 at 7:20 PM, Guillaume Rossolini
[EMAIL PROTECTED] wrote:
Hi,
I suppose the script is encoded as Unicode in your filesystem? Your
sample code fails if encoded as ANSI, but succeeds if encoded as UTF-8.
?php
require_once 'Zend/Filter/Input.php';
$_POST['first_nm'] = Bertrán;
$filters = array ( 'first_nm' = 'Alpha' );
$validators = array( 'first_nm' = array ('Alpha', 'presence' =
'required') );
$input = new Zend_Filter_Input($filters, $validators, $_POST);
echo $input-isValid() ? 'ok' : 'dead';
Regards,
On 3/25/08, Philip G [EMAIL PROTECTED] wrote:
I'm trying to get a form to validate with unicode characters.
For a very simple example, I have:
$_POST['first_nm'] = Bertrán;
$filters = array ( 'first_nm' = 'Alpha' );
$validators = array( 'first_nm' = array ('Alpha', 'presence' =
'required) );
$input = Zend_Filter_Input($filter, $validators, $_POST);
Now, a simple $input-isValid() call and it fails. Returns:
[first_nm] = Array ( [stringEmpty] = ' ' is an empty string )
Is there something special I need to do in order to get
Zend_Filter_Input to understand UTF-8? I've checked the data being
passed to
PHP; it is valid. I checked the code and it seems to do some utf8
check, but
apparently it's not working for some reason.
Thanks
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
--
Guillaume Rossolini
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
Re: [fw-general] Zend_Filter_Input and Unicode
Well, the script I wrote was a hack job to show what I was doing.
Technically, the data is being based through _POST. Are you saying the only
way to get this to work is to Unicode the scripts on the file system? I
never herd of that requirement.
I'm trying to make a form submit function more unicode friendly. I have the
required UTF-8 accet charset in place. I have verified that 'Bertrán' is
being passed across properly. I even verified that PHP doesn't mess with it
(by printing out _POST). However, once it goes through the filter process,
it gets stripped.
Philip
On Tue, Mar 25, 2008 at 7:20 PM, Guillaume Rossolini [EMAIL PROTECTED]
wrote:
Hi,
I suppose the script is encoded as Unicode in your filesystem? Your
sample code fails if encoded as ANSI, but succeeds if encoded as UTF-8.
?php
require_once 'Zend/Filter/Input.php';
$_POST['first_nm'] = Bertrán;
$filters = array ( 'first_nm' = 'Alpha' );
$validators = array( 'first_nm' = array ('Alpha', 'presence' =
'required') );
$input = new Zend_Filter_Input($filters, $validators, $_POST);
echo $input-isValid() ? 'ok' : 'dead';
Regards,
On 3/25/08, Philip G [EMAIL PROTECTED] wrote:
I'm trying to get a form to validate with unicode characters.
For a very simple example, I have:
$_POST['first_nm'] = Bertrán;
$filters = array ( 'first_nm' = 'Alpha' );
$validators = array( 'first_nm' = array ('Alpha', 'presence' =
'required) );
$input = Zend_Filter_Input($filter, $validators, $_POST);
Now, a simple $input-isValid() call and it fails. Returns: [first_nm]
= Array ( [stringEmpty] = ' ' is an empty string )
Is there something special I need to do in order to get
Zend_Filter_Input to understand UTF-8? I've checked the data being passed to
PHP; it is valid. I checked the code and it seems to do some utf8 check, but
apparently it's not working for some reason.
Thanks
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
--
Guillaume Rossolini
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
Re: [fw-general] Zend_Filter_Input and messages
The only way I have found to get around the misbehaving notEmpty message
template found in validators like Digits and Alnum is to manually set it.
Surely there must be another way, with the templates in options not working
for me, I have to manually set every notEmpty message which adds quite a few
lines on a complex form. Setting options for the notEmpty messages isn't
working, have I missed something?
Looking forward to a reply from somone :)
The code below works, but shouldn't the 'notEmptyMessage' template have
picked up on the notEmpty message from the digits validator and replaced it?
Code:
$options = array(
'notEmptyMessage' = A non-empty value is required for field
'%field%',
'missingMessage' = '%field%' is missing,
'presence' = 'required',
'breakChainOnFailure'=true,
'allowEmpty' = false,
);
$validators = array(
'month' = array(
'Digits',
array('Between', array(1, 12)),
'messages' = array(
array( Zend_Validate_Digits::STRING_EMPTY = A month value is
required ), // WORKS, but without this I just get the default not empty
message from the digits validator!
'Month must be between 1 and 12'
)
)
);
$input = new Zend_Filter_Input($filters, $validators, $_POST, $options);
fugazied wrote:
I know its bad discussion etiquette, but does anyone have a possible
solution to my problem below? I have tried it with 1.5 RC 1 and still
have the same issue.
fugazied wrote:
I am having some issues with the custom messaging and Zend Input Filter.
Probably something obvious I am missing, but a search couldn't help me
find
a solution. Some Code:
//
$validators = array(
'email' = array('EmailAddress', 'presence'='required',
,'allowEmpty'=false ),
'month' = array('Digits', 'presence'='required',
,'allowEmpty'=false,
array('Between', 1, 10) )
);
$options = array(
'missingMessage' = Field '%field%' is required,
'notEmptyMessage' = A non-empty value is required for field
'%field%'
);
$input = new Zend_Filter_Input(null, $validators);
$input-setOptions($options);
$input-setData($_POST);
if ($input-hasInvalid() || $input-hasMissing()) {
$invalidFields = $input-getInvalid();
Zend_Debug::dump($invalidFields);
/*
Produces -
array(2) {
[email] = array(1) {
[emailAddressInvalid] = string(71) '' is not a valid email
address
in the basic format [EMAIL PROTECTED]
}
[month] = array(2) {
[stringEmpty] = string(21) '' is an empty string
[notBetween] = string(43) '' is not between '1' and '10',
inclusively
}
}
*/
}
//
I was under the impression that my custom messages would replace the ''
is
an empty string .
And to avoid the other error messages appearing, display empty ' ' field
values I need to chain the validators correct?
Thanks!
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input-and-messages-tp15782618s16154p15921984.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and messages
I did not fully understand what you are trying to achieve here ? Do you try without success to change an error message ? To allow an empty value ? To disallow an empty value ? -- Vianney Devreese - Lepidosteus http://lepidosteus.com
Re: [fw-general] Zend_Filter_Input and messages
Hi,
The intention is to create a custom message template for missing input
values for Zend_Filter_Input. I would hope to set the 'notEmptyMessage'
meta attribute in the $options array getting fed to Zend_Filter_Input.
I thought the meta attribute would have allowed me to create default
messages for every missing input value, but it did not work, I kept
receiving default messages from some validators.
Some validator types (Digits, Alnum) have a notEmpty validator whose
message is used instead of the notEmptyMessage message template I
defined in the options array.
After a few hours of puzzlement, I checked the bugs affecting
Zend_Filter_Input and yes there is a bug report for it.
I should have checked the outstanding bugs, something I will remember to
do next time because I did spend a chunk of time wondering if I was
doing something wrong.
The bug: http://framework.zend.com/issues/browse/ZF-1912
The workaround is to set each message type manually, a bit of pain and
extra code but the fix in the Zend framework should be coming soon I hope.
// Works.
$validators = array(
'month' = array(
'Digits',
array('Between', array(1, 12)),
'messages' = array(
array( Zend_Validate_Digits::STRING_EMPTY = A month
value is required, Zend_Validate_Digits::NOT_DIGITS = Month must only
consist of numbers or letters ),
'Month must be between 1 and 12'
)
)
);
Thanks.
Paul
Lepidosteus wrote:
I did not fully understand what you are trying to achieve here ?
Do you try without success to change an error message ? To allow an
empty value ? To disallow an empty value ?
Re: [fw-general] Zend_Filter_Input 'presence'='required'
Try 'missingMessage' if you are still having problems. thurting wrote: Hi Brian, You can change the relative message by setting it as an option of your Zend_Filter_Input instance. This can be done during instantiation or through the setOptions() method. You can not set different messages for different filters/validators - only one message format per instance. You may want to use Zend_Validate_NotEmpty if you need more flexibility. There is sample code in the docs, but I will post it here to save you the trouble. ?php $options = array( 'notEmptyMessage' = A non-empty value is required for field '%field%' ); $input = new Zend_Filter_Input($filters, $validators, $data, $options); // alternative method: $input = new Zend_Filter_Input($filters, $validators, $data); $input-setOptions($options); -- View this message in context: http://www.nabble.com/Zend_Filter_Input-%27presence%27%3D%3E%27required%27-tp15865637s16154p15912885.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input 'presence'='required'
Brian you need to take a look at the message system that accompanies the filter_input http://framework.zend.com/manual/en/zend.filter.input.html#zend.filter.input.metacommands.messages Then it's just a case of specifying the correct message for the correct action. Sometimes you will need to look in the validator to check what messages it sets up. Simon brian3f wrote: I'm using Zend_Filter_Input to validate form data. I'm trying to use the 'presence' = 'required', metacommand. My problem is, the error message generated by this command includes the actual field name that is being checked. my field name is something 'first_name' but I want to display 'First Name'. Here is some pseodo code representing what I'm doing. - Simon Corless http://www.ajb007.co.uk/ -- View this message in context: http://www.nabble.com/Zend_Filter_Input-%27presence%27%3D%3E%27required%27-tp15865637s16154p15873112.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input 'presence'='required'
I'm still having trouble with this. I can set error messages for individual
validators that I use, like the documentation describes:
?php
$validators = array(
'month' = array(
'digits',
'messages' = 'A month must consist only of digits'
)
);
However, I'm unable to do this for the metacommands 'precence'. When I
change the code above to check for presence and try to supply an error
message:
?php
$validators = array(
'month' = array(
'digits',
'presence' = 'required',
'messages' = array('A month must consist only of digits',
array('missingMessage' = A value is required
for field 'Month'))
)
);
I get the error message: Fatal error: Uncaught exception
'Zend_Validate_Exception' with message 'No message template exists for key
'missingMessage'' in library\Zend\Validate\Abstract.php:129
I am able to set and error message globally for the 'presence' metacommand
using:
?php
$options = array(
'missingMessage' = A value is required for field '%field%'
);
$input = new Zend_Filter_Input($filters, $validators, $data, $options);
But this doesn't allow me to put a user presentable field name into the
message.
Brian
SiCo007 wrote:
Brian you need to take a look at the message system that accompanies the
filter_input
http://framework.zend.com/manual/en/zend.filter.input.html#zend.filter.input.metacommands.messages
Then it's just a case of specifying the correct message for the correct
action. Sometimes you will need to look in the validator to check what
messages it sets up.
Simon
brian3f wrote:
I'm using Zend_Filter_Input to validate form data. I'm trying to use the
'presence' = 'required', metacommand. My problem is, the error message
generated by this command includes the actual field name that is being
checked. my field name is something 'first_name' but I want to display
'First Name'. Here is some pseodo code representing what I'm doing.
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input-%27presence%27%3D%3E%27required%27-tp15865637s16154p15877121.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and messages
I know its bad discussion etiquette, but does anyone have a possible
solution to my problem below? I have tried it with 1.5 RC 1 and still
have the same issue.
fugazied wrote:
I am having some issues with the custom messaging and Zend Input Filter.
Probably something obvious I am missing, but a search couldn't help me find
a solution. Some Code:
//
$validators = array(
'email' = array('EmailAddress', 'presence'='required',
,'allowEmpty'=false ),
'month' = array('Digits', 'presence'='required', ,'allowEmpty'=false,
array('Between', 1, 10) )
);
$options = array(
'missingMessage' = Field '%field%' is required,
'notEmptyMessage' = A non-empty value is required for field '%field%'
);
$input = new Zend_Filter_Input(null, $validators);
$input-setOptions($options);
$input-setData($_POST);
if ($input-hasInvalid() || $input-hasMissing()) {
$invalidFields = $input-getInvalid();
Zend_Debug::dump($invalidFields);
/*
Produces -
array(2) {
[email] = array(1) {
[emailAddressInvalid] = string(71) '' is not a valid email address
in the basic format [EMAIL PROTECTED]
}
[month] = array(2) {
[stringEmpty] = string(21) '' is an empty string
[notBetween] = string(43) '' is not between '1' and '10',
inclusively
}
}
*/
}
//
I was under the impression that my custom messages would replace the '' is
an empty string .
And to avoid the other error messages appearing, display empty ' ' field
values I need to chain the validators correct?
Thanks!
Re: [fw-general] Zend_Filter_Input 'presence'='required'
Hi Brian, You can change the relative message by setting it as an option of your Zend_Filter_Input instance. This can be done during instantiation or through the setOptions() method. You can not set different messages for different filters/validators - only one message format per instance. You may want to use Zend_Validate_NotEmpty if you need more flexibility. There is sample code in the docs, but I will post it here to save you the trouble. ?php $options = array( 'notEmptyMessage' = A non-empty value is required for field '%field%' ); $input = new Zend_Filter_Input($filters, $validators, $data, $options); // alternative method: $input = new Zend_Filter_Input($filters, $validators, $data); $input-setOptions($options); -- View this message in context: http://www.nabble.com/Zend_Filter_Input-%27presence%27%3D%3E%27required%27-tp15865637s16154p15885531.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input, no toArray()
Aaaah, thank you for pointing out what was too obvious for me to see (-:
On Dec 28, 2007 3:31 PM, Eric Coleman [EMAIL PROTECTED] wrote:
$row-setFromArray($input-getUnescaped())-save();
Or, you can also call $input-getEscaped() to get an array of escaped
values...
You'll probably want to save the unescaped versions though ;)
Regards,
Eric
On Dec 28, 2007, at 2:04 PM, David Mintz wrote:
Any way to get all the filtered/validated data out of your
Zend_Filter_Input
object in one shot?
It would be nice to say
$input = new Zend_Filter_Input($filters, $validators,$data);
if ($input-isValid()) {
$row-setFromArray($input-toArray())-save();
}
and be done with it. It seems that all we need in Zend_Input_Filter is
function toArray() { return this-_data; }
--
David Mintz
http://davidmintz.org/
The subtle source is clear and bright
The tributary streams flow through the darkness
Re: [fw-general] Zend_Filter_Input, no toArray()
$row-setFromArray($input-getUnescaped())-save();
Or, you can also call $input-getEscaped() to get an array of escaped
values...
You'll probably want to save the unescaped versions though ;)
Regards,
Eric
On Dec 28, 2007, at 2:04 PM, David Mintz wrote:
Any way to get all the filtered/validated data out of your
Zend_Filter_Input
object in one shot?
It would be nice to say
$input = new Zend_Filter_Input($filters, $validators,$data);
if ($input-isValid()) {
$row-setFromArray($input-toArray())-save();
}
and be done with it. It seems that all we need in Zend_Input_Filter is
function toArray() { return this-_data; }
--
David Mintz
http://davidmintz.org/
The subtle source is clear and bright
The tributary streams flow through the darkness
Re: [fw-general] Zend_Filter_Input + Validator options.
I think the only real way to find the options for each filter / validator is
to check the code itself as only the actual filters and validators are
listed in the manual.
To send options to individual filters or validators encase it as an array.
'class_name' = array(array('Alnum', true), 'presence' = 'required');
And that will allow white space in the Alnum validator / filter (depending
on where you use it!).
To set options to be used globally, for which I believe only the meta
commands can be used I will pass you tot he manual as it's as clear as I can
make it (and I've never used it!).
http://framework.zend.com/manual/en/zend.filter.input.html#zend.filter.input.metacommands.global
I hope this answers your question.
Simon
Philip Gabbert wrote:
(This is a resend cause I think I sent it under the wrong email address)
This is kind of a two part question... First one is how do I find all
the valid filter options? I see StringTrim and Digits within the
examples, but I can't locate any list showing all possible options.
Second is Validator, how do I send in options? Say, I use Alpha, but I
want to include spaces, too.
My Code looks like so:
/* Validation Process */
$filters = array ( 'class_name' = 'StringTrim' );
$validators = array('class_name' = array('alnum', 'presence' =
'required') );
/*
* Validate input
* -- I would prefer a more built in way to validate input, vs
uses the actual
* super global.
*/
$input = new Zend_Filter_Input($filters, $validators, $_POST);
I need to pass in the option to enable white space in validation. How
would I do that?
--
Philip
[EMAIL PROTECTED]
http://www.gpcentre.net/
-
Simon Corless
http://www.ajb007.co.uk/
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input-%2B-Validator-options.-tp14309591s16154p14314127.html
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and unknown fields
Hi Laurent, Thanks for the link. Hope that gets taken care of soon. However, I'm still sort of confused as to how you are supposed to use Zend_Filter_Input. What if you have a couple of fields in your form that doesn't need a validator, and doesn't need filtering, but you want to run your escape filter on them? Are you supposed to do something like: $field_1 = $input-field_1; $field_2 = Zend_Filter_HtmlEntities::filter($_POST['field_2']); $field_3 = $input-field_3; I dunno, but that looks sort of wrong. Would be nice to have a unified way of doing filtering, validation AND escaping. Or should you just add a filter or validator to every field? /Jens Ljungblad Laurent Melmoux wrote: Hi pakmannen, You can have a look at this issue : http://framework.zend.com/issues/browse/ZF-2128 -- Laurent Melmoux - [EMAIL PROTECTED] pakmannen a écrit : Hi all, Have a question regarding Zend_Filter_Input and unknown fields. Basically, I have a form with, say, five fields. I want to apply a filter on all of them, but only need to validate two. I thought I could do something like this: $filters = array( '*' = new Zend_Filter_Trim ); $validators = array( 'field_1' = new Zend_Validator_NotEmpty, 'field_3' = new Zend_Validator_NotEmpty ); $input = new Zend_Filter_Input($filters, $validators); However, only field_1 and field_3 exists in the result and are availible for escaping and has the filter applied, the other fields end up as unknown. That is: $field_1 = $input-field_1; // Escaped and filtered $field_2 = $input-field_2; // Empty $field_3 = $input-field_3; // Escaped and filtered etc.. Any way around this or have I just misunderstood how to use Zend_Filter_Input? Edit - messed up the formating.. -- View this message in context: http://www.nabble.com/Zend_Filter_Input-and-unknown-fields-tf4821361s16154.html#a13824055 Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input and unknown fields
Hi pakmannen, You can have a look at this issue : http://framework.zend.com/issues/browse/ZF-2128 -- Laurent Melmoux - [EMAIL PROTECTED] pakmannen a écrit : Hi all, Have a question regarding Zend_Filter_Input and unknown fields. Basically, I have a form with, say, five fields. I want to apply a filter on all of them, but only need to validate two. I thought I could do something like this: $filters = array( '*' = new Zend_Filter_Trim ); $validators = array( 'field_1' = new Zend_Validator_NotEmpty, 'field_3' = new Zend_Validator_NotEmpty ); $input = new Zend_Filter_Input($filters, $validators); However, only field_1 and field_3 exists in the result and are availible for escaping and has the filter applied, the other fields end up as unknown. That is: $field_1 = $input-field_1; // Escaped and filtered $field_2 = $input-field_2; // Empty $field_3 = $input-field_3; // Escaped and filtered etc.. Any way around this or have I just misunderstood how to use Zend_Filter_Input? Edit - messed up the formating..
Re: [fw-general] Zend_Filter_Input converting to String
Hi Mathew,
Perhaps it is the default HtmlEntities output filter that is causing your issue.
If so, then the following should show the expected integer value.
var_dump ($input-getUnescaped('field'));
Hope this helps.
Best regards,
Eric
- Original Message -
From: Mathew Byrne
To: fw-general@lists.zend.com
Sent: Monday, October 22, 2007 6:31 AM
Subject: [fw-general] Zend_Filter_Input converting to String
Why is it that Zend_Filter_Input appears to convert items that have been
filtered to Int values back into a String?
For instance:
$filters = array ('field' = 'Int');
$validators = array ('field' = 'Digits');
$data = array ('field' = '1234');
$input = new Zend_Filter_Input ($filters, $validators, $data);
var_dump ($input-field);
The following gives:
string(4) 1234
Is this by design or am I missing something along the line somewhere?
--
Mathew Byrne, Lead Developer
JB Interactive Pty. Ltd.
222 Latrobe Street, Melbourne Victoria 3000
1300 724 144
www.jbinteractive.com.au
Re: [fw-general] Zend_Filter_Input get all data
Yann Nave a écrit : Hello, I would like to retrieve all data that I've submitted once they process filters and validators whereas if the is some errors. Zend_Filter_Input doesn't have method like that ? :s I need such functionality too, would be nice to have it with Zend_Filter_Input without extending it. -- Laurent Melmoux, [EMAIL PROTECTED]
Re: [fw-general] Zend_Filter_Input get all data
Yann Nave wrote:
I would like to retrieve all data that I've submitted once they
process filters and validators whereas if the is some errors.
Zend_Filter_Input doesn't have method like that ? :s
Using getEscaped() or getUnescaped() will return an array of all valid
filtered and validated values. While getInvalid(), getMissing(), etc.
return the invalid and missing fields.
I do something like this:
$filters = array('*'= 'Digits');
$validators = array(array('StringLength', 1, 5))
$input = new Zend_Filter_Input($filters, $validators, $paramsToFilter);
if (!$input-isValid) {
$invalidFields = $input-getInvalid();
//process invalid fields.
}
$validFields = $input-getEscaped();
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input-get-all-data-tf4379891s16154.html#a1243
Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Zend_Filter_Input custom messages walked on...
Mmm. I figured out the problem was just confusion between the meaning
of missingMessage and notEmptyMessage.
--
Drew
Drew Bertola wrote:
Hi,
I'm trying to figure out why I can't set custom messages in
Zend_Filter_Input. Is this a known bug? I've searched around by
haven't found anything.
Then again, it could be me. It's happened once or twice before ;^)
If I do something like this:
?php
...
$filters= array(name = array(StringTrim, StripTags));
$validators = array(name = array(presence = required));
$options = array(missingMessage = %field% is required.);
$input = new Zend_Filter_Input($filters,
$validators,
$data,
$options);
if ( $input-hasInvalid() )
{
$messages = $input-getMessages();
}
Zend_Debug::dump($messages);
...
When I have an empty name in $data, I see the default missingMessage,
rather than my custom message passed in $options. I think the problem
is actually in Zend_Validate, but I haven't tracked it down that far.
Any ideas?
--
Drew Bertola
-
* PHP/LAMP Consultant, ZCE-1000 *
* *
* Tel: 408-966-6671 *
* *
* current resume: *
* http://drewb.com/resume.pdf *
-
Re: [fw-general] Zend_Filter_Input()
Brenton Alker wrote:
ivo trompert wrote:
...
But the problem now is that if I give the second field a message (the
second field is the 'username') like this:
'name' = array('NotEmpty', 'messages' = 'Voornaam is verplicht!'),
'username' = array('NotEmtpy', 'messages' = 'De
gebruikers naam
is verplicht!'),
'password1' = array('Alpha', 'allowEmpty'= true),
'password2' = array('allowEmpty' = true)
);
I get the folowing error:
Fatal error: Uncaught exception 'Zend_Filter_Exception' with message
'Unable to find the implementation of the 'NotEmtpy' class' in
/storage/wwwroot/Zend/Filter/Input.php:830 Stack trace: #0
...
What is wrong with this code?
It's Just a simple typo by the looks.
'username' = array('NotEmtpy', 'messages' = 'De gebruikers naam is
verplicht!'),
Fatal error: Uncaught exception 'Zend_Filter_Exception' with message
'Unable to find the implementation of the 'NotEmtpy' class' in
/storage/wwwroot/Zend/Filter/Input.php:830 Stack trace: #0
You've got NotEmtpy instead of NotEmpty.
Thank you that was the problem.
Ivo Trompert
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input%28%29-tf4269740s16154.html#a12158145
Sent from the Zend Framework mailing list archive at Nabble.com.
RE: [fw-general] Zend_Filter_Input fields metacommand not working as described
-Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Ross When using the fields meta command if the rule name is different than the fields metacommand then to access the value via magic accessors you should use the rule name not the fields name, correct? That is what is implied in the documentation. No -- The rule name is used in keys of the assoc array returned by getMessages() and getErrors(), because messages correspond to validator failures, not individual input data fields. You need to request the field value by the field name, not the rule name. Because multiple rules might have been applied to the field before it is ready to be retrieved. The value is returned after it has been filtered and validated by all applicable rules. Regards, Bill Karwin
Re: [fw-general] Zend_Filter_Input and overriding default error message
You have to setup the error messages as an array with all of the
possible error values. Using your example:
$validators = array('fname' = array('Alpha',
'presence' = 'required',
'messages' = array(
Zend_Validate_Alpha::NOT_ALPHA = 'Custom not alpha
error message.',
Zend_Validate_Alpha::STRING_EMPTY = 'Custom empty
string error message.'
));
Hope that helps.
Arthur
Joshua Ross wrote:
I have a question about Zend_Filter_Input. I have read and reread the
documentation and I am confused about the what can be done with the messages
parameter when defining a validator. The problem is that if I have a value
string that is empty it seems I cannot override the error message that is
returned. Maybe I am just not understanding the documentation fully? Here
is the code(generecized):
$validators = array('fname' = array('Alpha',
'presence' = 'required',
'messages' = 'Invalid First Name'));
$filters = array();
$options = array('missingMessage' = 'test message 2',
'notEmptyMessage' = 'test message 3');
$input = Zend_Filter_Input($filters, $validators,
$this-getRequest()-getPost(), $options);
if ($input-hasMissing() || $input-hasInvalid()) {
$msg ='';
foreach($input-getMessages() as $error) {
$msg .= implode(\n, $error);
}
throw new My_Exception($msg);
}
I expect to receive one of my three test messages for any error from this
validator and I have tried both $input-getMessages() and
$input-getErrors()... however when the string is empty I always receive
the following message.
'' is an empty string
When I dump the $input after it processes I see:
...
...
...
[_validatorRules:protected] = array(8) {
[fname] = array(9) {
[0] = string(5) Alpha
[presence] = string(8) required
[messages] = array(1) {
[0] = string(19) Invalid First Name.
}
[rule] = string(5) fname
[fields] = string(5) fname
[breakChainOnFailure] = bool(false)
[allowEmpty] = bool(false)
[validatorChain] = object(Zend_Validate)#187 (3) {
[_validators:protected] = array(1) {
[0] = array(2) {
[instance] = object(Zend_Validate_Alpha)#188 (6) {
[allowWhiteSpace] = bool(false)
[_messageTemplates:protected] = array(2) {
[notAlpha] = string(19) Invalid First Name.
[stringEmpty] = string(28) '%value%' is an empty string
}
[_value:protected] = string(0)
[_messageVariables:protected] = array(0) {
}
[_messages:protected] = array(1) {
[0] = string(21) '' is an empty string
}
[_errors:protected] = array(1) {
[0] = string(11) stringEmpty
}
}
[breakChainOnFailure] = bool(false)
}
}
[_messages:protected] = array(1) {
[0] = string(21) '' is an empty string
}
[_errors:protected] = array(1) {
[0] = string(11) stringEmpty
}
}
[validatorChainCount] = int(1)
}
...
...
...
[_invalidMessages:protected] = array(1) {
[fname] = array(1) {
[0] = string(21) '' is an empty string
}
}
[_invalidErrors:protected] = array(1) {
[fname] = array(1) {
[0] = string(11) stringEmpty
}
}
Any help here understanding my mistake or what I'm doing wrong would be
appreciated. Thanks
Josh
RE: [fw-general] Zend_Filter_Input and $_FILES
That's a tough question. I don't think there is a way to solve this if
you want to pass the entire $_FILES array.
A different solution would be to test the fields in each entry of
$_FILES, not the array itself. Set up a ruleset with Zend_Filter_Input
and then loop through $_FILES, validating each entry individually:
$validators = array('size' = array('Int', array('LessThan',
10)));
$input = new Zend_Filter_Input(null, $validators);
foreach ($_FILES as $field = $filedata) {
$input-setData($filedata);
if ($input-hasInvalid()) {
echo File upload error for field $field: .implode(', ',
$input-getMessages()).\n;
}
}
Regards,
Bill Karwin
-Original Message-
From: Marcin Stefaniak [mailto:[EMAIL PROTECTED]
Sent: Sunday, June 03, 2007 2:39 AM
To: Zend Framework General
Subject: [fw-general] Zend_Filter_Input and $_FILES
I'm trying to validate file upload with Zend_Filter_Input.
I've created my own class, which implements
Zend_Validate_Interface, for file size validating. My
isValid() method is simple comparing file size
$_FILES['myfile']['size'] with assumed value. The problem is
that Zend_Filter_Input iterates all arrays he finds in input
array, so in my case he will make my test on all items he
will find in $_FILES['myfile'] array -
$_FILES['myfile']['tmp_name'], $_FILES['myfile']['name'],
$_FILES['myfile']['type'] and so on. And I want to check only
$_FILES['myfile']['size'] value. Is there a solution, which
let me pass full $_FILES['myfile'] array to my validate
class? I know I can use only validate class to make this
test, but I'd like to use Zend_Filter_Input.
--
Marcin Stefaniak
Re: [fw-general] Zend_Filter_Input::getEscaped()
Probably worth noting Bryce Lohr's proposal is now in the Laboratory but will not make it into the framework until after 1.0.0. It's a really powerful approach but it's needs some dumbing down for the rest of us ;). http://framework.zend.com/wiki/display/ZFPROP/Zend_Validate_Builder+-+Bryce+Lohr Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Pádraic Brady [EMAIL PROTECTED] To: Jur Jean [EMAIL PROTECTED] Cc: Zend Framework General fw-general@lists.zend.com Sent: Wednesday, May 30, 2007 9:29:37 AM Subject: Re: [fw-general] Zend_Filter_Input::getEscaped() Hi Jur, I have the same preference as yourself. I'm not using the component yet until it either reaches Core or is updated to reflect other potential solutions. But for now you can subclass Zend_Filter_Input and override its __get() method to change the default treatment of values to avoid the automated escaping. A few other options are also available - check the proposal comments over at: http://framework.zend.com/wiki/display/ZFPROP/Zend_Filter_Input+redesign+-+Bill+Karwin Pádraic Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Jur Jean [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Wednesday, May 30, 2007 9:17:49 AM Subject: [fw-general] Zend_Filter_Input::getEscaped() Why is Zend_Filter_Input::getEscaped() called by default when magic accessing vars? I use getUnescaped() a lot more often. In the view, you should use $this-escape(), the form helpers escapes values, and when writing to my database i also don't want to escape using this method, but use the db's escape method. -- View this message in context: http://www.nabble.com/Zend_Filter_Input%3A%3AgetEscaped%28%29-tf3838924s16154.html#a10869449 Sent from the Zend Framework mailing list archive at Nabble.com. Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://autos.yahoo.com/green_center/
Re: [fw-general] Zend_Filter_Input::getEscaped()
I'm at least as dumb as everyone else, Bryce. :) Whenever you get around to coding I'll have an svn external pointing at the laboratory to grab the code ;). Look forward to reviewing and testing. Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Bryce Lohr [EMAIL PROTECTED] To: Pádraic Brady [EMAIL PROTECTED]; Zend FW General List fw-general@lists.zend.com Sent: Wednesday, May 30, 2007 5:08:47 PM Subject: Re: [fw-general] Zend_Filter_Input::getEscaped() I literally busted out laughing when I read that... I'll take that as a compliment. :) I'll get back working on that in a few days (I have a beta release of my own to get through first). As always, I'm wide open to suggestions for the dumbing down part... ;) Regards, Bryce Lohr Pádraic Brady wrote: Probably worth noting Bryce Lohr's proposal is now in the Laboratory but will not make it into the framework until after 1.0.0. It's a really powerful approach but it's needs some dumbing down for the rest of us ;). http://framework.zend.com/wiki/display/ZFPROP/Zend_Validate_Builder+-+Bryce+Lohr Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Pádraic Brady [EMAIL PROTECTED] To: Jur Jean [EMAIL PROTECTED] Cc: Zend Framework General fw-general@lists.zend.com Sent: Wednesday, May 30, 2007 9:29:37 AM Subject: Re: [fw-general] Zend_Filter_Input::getEscaped() Hi Jur, I have the same preference as yourself. I'm not using the component yet until it either reaches Core or is updated to reflect other potential solutions. But for now you can subclass Zend_Filter_Input and override its __get() method to change the default treatment of values to avoid the automated escaping. A few other options are also available - check the proposal comments over at: http://framework.zend.com/wiki/display/ZFPROP/Zend_Filter_Input+redesign+-+Bill+Karwin Pádraic Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com - Original Message From: Jur Jean [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Wednesday, May 30, 2007 9:17:49 AM Subject: [fw-general] Zend_Filter_Input::getEscaped() Why is Zend_Filter_Input::getEscaped() called by default when magic accessing vars? I use getUnescaped() a lot more often. In the view, you should use $this-escape(), the form helpers escapes values, and when writing to my database i also don't want to escape using this method, but use the db's escape method. -- View this message in context: http://www.nabble.com/Zend_Filter_Input%3A%3AgetEscaped%28%29-tf3838924s16154.html#a10869449 Sent from the Zend Framework mailing list archive at Nabble.com. Ready for the edge of your seat? Check out tonight's top picks http://us.rd.yahoo.com/evt=48220/*http://tv.yahoo.com/ on Yahoo! TV. Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. http://us.rd.yahoo.com/evt=48518/*http://autos.yahoo.com/carfinder/;_ylc=X3oDMTE3NWsyMDd2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDY2FyLWZpbmRlcg-- Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=listsid=396545469
RE: [fw-general] Zend_Filter_Input::getEscaped()
Zend_Filter_Input is in core now.
The purpose of requiring getUnescaped() to be called explicitly is to force the
application developer to acknowledge the fact that the value is in a form that
is potentially not safe to output.
And yes, you can subclass Zend_Filter_Input and redefine its __get() method if
you want to.
Alternatively, you can set the Zend_Filter_Input escape filter to something
else:
$input = new Zend_Filter_Input( ... );
$input-setDefaultEscapeFilter('StringTrim'); // for example
Regards,
Bill Karwin
From: Pádraic Brady [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 30, 2007 1:30 AM
To: Jur Jean
Cc: Zend Framework General
Subject: Re: [fw-general] Zend_Filter_Input::getEscaped()
Hi Jur,
I have the same preference as yourself. I'm not using the component yet
until it either reaches Core or is updated to reflect other potential
solutions. But for now you can subclass Zend_Filter_Input and override its
__get() method to change the default treatment of values to avoid the automated
escaping.
A few other options are also available - check the proposal comments
over at:
http://framework.zend.com/wiki/display/ZFPROP/Zend_Filter_Input+redesign+-+Bill+Karwin
Pádraic
Pádraic Brady
http://blog.astrumfutura.com
http://www.patternsforphp.com
- Original Message
From: Jur Jean [EMAIL PROTECTED]
To: fw-general@lists.zend.com
Sent: Wednesday, May 30, 2007 9:17:49 AM
Subject: [fw-general] Zend_Filter_Input::getEscaped()
Why is Zend_Filter_Input::getEscaped() called by default when magic
accessing
vars? I use getUnescaped() a lot more often.
In the view, you should use $this-escape(), the form helpers escapes
values, and when writing to my database i also don't want to escape
using
this method, but use the db's escape method.
--
View this message in context:
http://www.nabble.com/Zend_Filter_Input%3A%3AgetEscaped%28%29-tf3838924s16154.html#a10869449
Sent from the Zend Framework mailing list archive at Nabble.com.
Ready for the edge of your seat? Check out tonight's top picks
http://us.rd.yahoo.com/evt=48220/*http://tv.yahoo.com/ on Yahoo! TV.
Re: [fw-general] Zend_Filter_Input::getEscaped()
Bill Karwin wrote:
Zend_Filter_Input is in core now.
The purpose of requiring getUnescaped() to be called explicitly is to
force the application developer to acknowledge the fact that the value
is in a form that is potentially not safe to output.
And yes, you can subclass Zend_Filter_Input and redefine its __get()
method if you want to.
Alternatively, you can set the Zend_Filter_Input escape filter to
something else:
$input = new Zend_Filter_Input( ... );
$input-setDefaultEscapeFilter('StringTrim'); // for example
Regards,
Bill Karwin
I have to say a big thanks to everyone who has worked on the re-design
of Zend_Filter_Input. Having developed something quite similar myself
using the ZF I'm pleased to see it now in the core.
Now all I have to do is refactor my code a bit to use this component and
I'm laughing. As mine is already configured via an xml document, I
reckon the config for Zend_Filter_Input can be described a similar way
and held in a Zend_Config object. Would anyone be interested in how I
get on?
Cheers
Shaun
RE: [fw-general] Zend_Filter_Input::getEscaped()
-Original Message- From: Shaun Rowe [mailto:[EMAIL PROTECTED] Now all I have to do is refactor my code a bit to use this component and I'm laughing. As mine is already configured via an xml document, I reckon the config for Zend_Filter_Input can be described a similar way and held in a Zend_Config object. Would anyone be interested in how I get on? That's great! Yes, the idea was to make the rules declared as data, so one could easily store it in one of the Zend_Config back-ends. Would you consider writing an article for DevZone with your solution? They're always looking for good ZF content. Regards, Bill Karwin
Re: [fw-general] Zend_Filter_Input::getEscaped()
Bill Karwin wrote: -Original Message- From: Shaun Rowe [mailto:[EMAIL PROTECTED] Now all I have to do is refactor my code a bit to use this component and I'm laughing. As mine is already configured via an xml document, I reckon the config for Zend_Filter_Input can be described a similar way and held in a Zend_Config object. Would anyone be interested in how I get on? That's great! Yes, the idea was to make the rules declared as data, so one could easily store it in one of the Zend_Config back-ends. Would you consider writing an article for DevZone with your solution? They're always looking for good ZF content. Regards, Bill Karwin Yes, I'd be very interested in writing an article. Are you referring to my existing solution? Or to my (impending) refactoring? Or both? :) Cheers Shaun
RE: [fw-general] Zend_Filter_Input::getEscaped()
-Original Message- From: Shaun Rowe [mailto:[EMAIL PROTECTED] Yes, I'd be very interested in writing an article. Are you referring to my existing solution? Or to my (impending) refactoring? Or both? :) I was thinking of the refactoring, showing how to manage Zend_Filter_Input rules using Zend_Config. Bill
RE: [fw-general] Zend_Filter_Input problem
Thanks for the issue report Jakub, I have logged it as
http://framework.zend.com/issues/browse/ZF-1437 and I will begin working on it.
Regards,
Bill Karwin
From: Jakub Podhorský [mailto:[EMAIL PROTECTED]
Sent: Saturday, May 26, 2007 3:47 AM
To: fw-general@lists.zend.com
Subject: [fw-general] Zend_Filter_Input problem
Hello,
I've got one problem with Zend_Filter_Input and I don't know how to
solve it. I have:
?php
$data = array( 'nick' = '',
'email' = '[EMAIL PROTECTED]',
'message' = 'my long message'
);
$filters = array( '*' = new Zend_Filter_StringTrim(),
'nick' = new Zend_Filter_StripTags()
);
$validators = array('email' = array( new
Zend_Validate_EmailAddress(),
Zend_Filter_Input::ALLOW_EMPTY = true
),
'nick' = array(
Zend_Filter_Input::PRESENCE = Zend_Filter_Input::PRESENCE_REQUIRED,
Zend_Filter_Input::ALLOW_EMPTY = false
)
);
$input = new Zend_Filter_Input($filters, $validators, $data);
if ($input-hasInvalid())
{
$message = $input-getMessages();
}
?
If I have empty string in nick field it can't pass but it doesn't work.
I don't need to make any other validation on that field.
Thanks for every help,
Jakub Podhorský
Re: [fw-general] Zend_Filter_Input on ZFW 0.9.1
On 4/3/07, Juan Felipe Alvarez Saldarriaga [EMAIL PROTECTED] wrote: Well, so I need to to filter all data one per one ? Cause when I was doing it with Zend_Filter_Input the result object was a protect object of the ZFW, there's a way to do this ? or just making a $this-getRequest on the Controller ? Yes. No. Not sure I understand. -- - Ed Finkler http://funkatron.com/
RE: [fw-general] Zend_Filter_Input...
I agree users should definitely know where their data comes from. Obviously reliance simply on POST is silly. That's where Zend_Validate/Filter type functions come into play. I think Chris is getting at the fact GET shouldn't be used for actions that change data (i.e. delete, add records, etc). Though many apps do this, it is against the HTTP spec and can lead to unpredictable results (i.e. when Google Accelerator followed all links in a document and started actioning delete links). I've been guilty of this myself in the past. I originally made this comment since it seemed that functions within ZF were returning POST variables not purely from POST, but from a mulch of POST/GET/URL. If the function exists, chances are users will use them. And that seems to promote bad practise. I'm in favour of users sticking to good old $_POST and $_GET so they know exactly where things come from and can plan their security appropriately. The old Zend_Filter_Input used to give users access to $_POST and unset _POST so they were encouraged to filter all incoming data. That seemed useful, though I understand progress has made that undesirable now. If any ZF functions do return POST to the user for their own scripts, they should have a good reason for doing so (and ideally add functionality / or encourage security practises) otherwise it seems simpler to just stick with existing superglobals that people understand. Security is a big thing, more so perhaps in the PHP world where there has been bad press in the past. Seems like a good topic for a tutorial, or even an additional manual section, for ZF 1.0 ... best wishes, Si
Re: [fw-general] Zend_Filter_Input...
Matthew Ratzloff wrote: Well, my point was that because any of those can be manipulated (POST, GET, COOKIE, etc.), selecting from a specific source can lead to a false sense of added security. The idea that ignorance promotes security is fundamentally flawed. Pádraic clearly understands the risks associated with this perspective. In addition, this approach works against the HTTP spec, eroding the important distinction between GET and POST requests. Chris
Re: [fw-general] Zend_Filter_Input...
Chris Shiflett wrote: The idea that ignorance promotes security is fundamentally flawed. Pádraic clearly understands the risks associated with this perspective. In addition, this approach works against the HTTP spec, eroding the important distinction between GET and POST requests. Thats a bit loaded :) I would consider the web in general to be the eroder of GET and POST as the current web browers do not make it easy for developers to easily make truly RESTful applications for browsers. From my (albeit limited) knowledge, ZF is not RESTful and I am not sure if its a goal. Currently (across the web), we simulate PUT and DELETE by loading variables into our GET and POST, which, I can only imagine is one reason why you might see Get/Post variables accessible via the get/setParam utilities.. so that we can further simulate a RESTful architecture via a modern browser with so easily implements GET/POST. On the subject of Filtering, I did like the previous method of pulling directly from source $input = new Zend_Filter_Input($_POST/$_GET).. But I am interested to see what the future plans have in store for us. But, then again, I haven't written an HTTP Developers Handbook ;) -ralph
Re: [fw-general] Zend_Filter_Input...
Chris, I was clearly not arguing in favor of ignorance, or that it's a valid method of security. Please re-read my messages. -Matt - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Zend Framework General fw-general@lists.zend.com Sent: Sunday, March 25, 2007 7:31 AM Subject: Re: [fw-general] Zend_Filter_Input... Matthew Ratzloff wrote: Well, my point was that because any of those can be manipulated (POST, GET, COOKIE, etc.), selecting from a specific source can lead to a false sense of added security. The idea that ignorance promotes security is fundamentally flawed. Pádraic clearly understands the risks associated with this perspective. In addition, this approach works against the HTTP spec, eroding the important distinction between GET and POST requests. Chris
RE: [fw-general] Zend_Filter_Input...
You can use $this-_getParam('key', 'default'); in a Controller, because
_getParam() use the Request-getParam() method, which tries first to
load the param from the url, then from $_GET and after this from $_POST.
If $this-_getParam() looks at the URL, GET and POST isn't it a potential
security issue to use it for POST variables since you don't know exactly
where your input variables are coming from?
Seems rather similar to $_REQUEST to me which should also be avoided for
similar reasons -
http://shiflett.org/articles/ideology
A quick look at the (nicely growing) manual it seems you can do the
following which does the job nicely for POST variables:
$myVar = $this-getPost('name');
(See API docs / Zend_Controller_Request_Http for more)
There do seem to be a lot of methods that return variables from GET, POST,
COOKIE, etc. I think it would be a good idea to mention the security
implications of depending on these in the manual..
Si
Re: [fw-general] Zend_Filter_Input...
-- Pádraic Brady [EMAIL PROTECTED] wrote
(on Thursday, 22 March 2007, 03:36 AM -0700):
In agree with you Simon - if we have too many sources for input
variables, some of which check varying sources in priority it's just
another $_REQUEST situation where these values could conceivably come
from anywhere. It's better practice to use a method which selects
values from a known source on the basis if it comes from anywhere else
unexpectedly it should ring a few alarm bells for the developer. I'd
actually call it first line filtering/validation - if we know a value
should be received via POST then if the same value is retrievable from
GET it should be ignored unless it's for a valid reason.
Please remember that Zend_Controller_Request_* was built to help with
routing and dispatching -- which is why getParam() pulls from a variety
of sources (when determining how to route a request, the salient input
could come from a variety of sources -- the path, query parameters, post
parameters, etc.). It was never intended as a general-purpose object for
input filtering -- that's a goal for a later iteration, which will still
need to account for the variety of sources when dealing with routing.
- Original Message
From: Simon R Jones [EMAIL PROTECTED]
To: Zend Mailing List fw-general@lists.zend.com
Sent: Thursday, March 22, 2007 8:13:19 AM
Subject: RE: [fw-general] Zend_Filter_Input...
You can use $this-_getParam('key', 'default'); in a Controller, because
_getParam() use the Request-getParam() method, which tries first to
load the param from the url, then from $_GET and after this from $_POST.
If $this-_getParam() looks at the URL, GET and POST isn't it a potential
security issue to use it for POST variables since you don't know exactly
where your input variables are coming from?
Seems rather similar to $_REQUEST to me which should also be avoided for
similar reasons -
http://shiflett.org/articles/ideology
A quick look at the (nicely growing) manual it seems you can do the
following which does the job nicely for POST variables:
$myVar = $this-getPost('name');
(See API docs / Zend_Controller_Request_Http for more)
There do seem to be a lot of methods that return variables from GET, POST,
COOKIE, etc. I think it would be a good idea to mention the security
implications of depending on these in the manual..
--
Matthew Weier O'Phinney
PHP Developer| [EMAIL PROTECTED]
Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Zend_Filter_Input...
Hopefully getParam will be unified with the rest of the get* methods in Zend_Request, and this all wont be a problem. - Original Message - From: Simon R Jones [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 10:34 AM Subject: RE: [fw-general] Zend_Filter_Input... It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. That's fine, just as long as new users always use $_POST or getPost() to retrieve POST variables so they know where they are coming from. Just something that may be worth highlighting in the manual for 1.0 - Presumably there will be/is a small section saying where to get various things when using the Router (i.e. URL parameters, GET vars, POST vars)? best wishes, Si
Re: [fw-general] Zend_Filter_Input...
-- Ed Finkler [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 01:27 PM -0400): On 3/22/07, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote: Please remember that Zend_Controller_Request_* was built to help with routing and dispatching -- which is why getParam() pulls from a variety of sources (when determining how to route a request, the salient input could come from a variety of sources -- the path, query parameters, post parameters, etc.). It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. That security considerations are not part of the initial implementation, but something added later in the process, is in and of itself worrisome. There's a heavy amount of filtering going on in the router and dispatcher -- that's where the security is residing for this implementation. Zend_Controller_Request_Abstract has *no* methods for interacting with the environment whatsoever -- simply accessors for setting parameters and module/controller/action values. The HTTP version is designed to pull information out of the HTTP environment in order to aid routing and dispatch tasks; this includes the path, query string parameters, post variables, cookies, and more. Again, the point was not for general purpose consumption by userland scripts. However, since it is made accessible by the action controllers (in order to allow things like action forwarding), many have used it for pulling data in much the way $_REQUEST has been used in the past. Once I realized people were using the request object in order to pull GET and POST data -- instead of accessing those superglobals themselves, or using a proxy such as Zend_Filter_Input, I realized that this would be a security vector. However, without stable validation/filtering classes ready, this simply could not be addressed properly. Now that they are, we can begin addressing this. This is why I mentioned that it will be dealt with in a later iteration. Any solution will need to remain backwards compatible with the current API, however. This should not be difficult due to the nature of the accessors. -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Zend_Filter_Input...
getParam should, imho, return params only, if theres need for routing for cacaded stuff then maybe a getInput or similar. You shouldn't be able to override post data with a param, or, at least thats not how the fw should be recommending apps be built using getParam like $_REQUEST. If you get rid of the $_request-like way of getParam, then the validation question of origin becomes less problematic. Anyone using getParams etc should already be validating the type of data (as it's from userland) with Zend_Validate/Zend_Filter, and/or putting a regexp on the route. However, my response was in response to That's fine, just as long as new users always use $_POST or getPost() to retrieve POST variables so they know where they are coming from. If you change getParams, this problem goes away completely. Kevin - Original Message - From: Matthew Weier O'Phinney [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 10:59 AM Subject: Re: [fw-general] Zend_Filter_Input... -- Kevin McArthur [EMAIL PROTECTED] wrote (on Thursday, 22 March 2007, 11:36 AM -0700): Hopefully getParam will be unified with the rest of the get* methods in Zend_Request, and this all wont be a problem. I fail to see how this is even related to the discussion. The request you had earlier this week was to have getParam(null) return the entire list of params, vs. having a getParams() method -- what does this have to do with input filtering? Additionally, getParam() right now looks through several arrays: * internal param store (usu. set by the router from the request uri) * $_GET params * $_POST params The reason for this is that information necessary for routing can be found in each of these, and if not found in one should cascade down through the others until found (if available). Note: getUserParam()/getUserParams() return just the internal param store. To normalize the API, I will definitely consider modifying getParam() and getUserParam() to accept a null argument to return the entire arrays, and then remove getParams() and getUserParams(). But I'm not sure that these changes address the input filtering discussion. - Original Message - From: Simon R Jones [EMAIL PROTECTED] To: fw-general@lists.zend.com Sent: Thursday, March 22, 2007 10:34 AM Subject: RE: [fw-general] Zend_Filter_Input... It was never intended as a general-purpose object for input filtering -- that's a goal for a later iteration, which will still need to account for the variety of sources when dealing with routing. That's fine, just as long as new users always use $_POST or getPost() to retrieve POST variables so they know where they are coming from. Just something that may be worth highlighting in the manual for 1.0 - Presumably there will be/is a small section saying where to get various things when using the Router (i.e. URL parameters, GET vars, POST vars)? -- Matthew Weier O'Phinney PHP Developer| [EMAIL PROTECTED] Zend - The PHP Company | http://www.zend.com/
Re: [fw-general] Zend_Filter_Input...
Well, my point was that because any of those can be manipulated (POST,
GET, COOKIE, etc.), selecting from a specific source can lead to a false
sense of added security. Better to make your application capable of
reliably accepting data from any source and acting on it appropriately.
In other words, to deal with user data as if it had come from a single
source: the user.
-Matt
On Thu, March 22, 2007 3:27 pm, Pádraic Brady wrote:
np ;), but isn't that the same or a related point I reiterated? Yes,
developers should be aware data can come from anywhere, which also makes
it important they know to narrow down access methods to eliminate
unexpected ones - standard security practice. Surely that was always the
problem of using $_REQUEST in preference to deliberately selecting one of
$_POST, $_GET, $_COOKIE. Just as improperly relying on getParam (since
it's currently an accessible public method) instead of getPost hides where
the data came from, adding an unnecessary element of risk which today we
see in CSRF vectors. All I intended to note (sorry if my wording was
obscure!) was using a multi-source method was bad practice. I have bad
habit I think of stating the obvious across a page of text :). Yep,
definitely bad.
Also, I wish I understood or had read more about the Request object. It
was my impression the Request object was not solely intended for
controller logic. I guess I misinterpreted its uses since it seemed a
natural fit for any standard Request object - really should note the
distinction in the manual because it should be avoided if that's the case.
Or maybe I should read the manual more often in case it already is!
Pádraic Brady
http://blog.astrumfutura.com
http://www.patternsforphp.com
- Original Message
From: Matthew Ratzloff [EMAIL PROTECTED]
To: Zend Framework General fw-general@lists.zend.com
Sent: Thursday, March 22, 2007 6:23:47 PM
Subject: Re: [fw-general] Zend_Filter_Input...
[I]f we have too many sources for input variables, some of which check
varying sources in priority it's just another $_REQUEST situation where
these values could conceivably come from anywhere.
The data DOES come from anywhere. Data is not somehow more secure if it
is POST. POST variables can be manipulated with only slightly more
difficulty in a browser than modifying the query string, and when using
something like cURL or Zend_Http_Client the difference is insignificant.
Data should be checked not only for well-formedness (e.g., correct data
type) but also for validity and access rights. Whatever filtering
solution is created post-1.0, it is not going to be a comprehensive
solution unless used in combination with Zend_Validate, Zend_Auth, and
Zend_Acl.
Most PHP developers either don't understand this, don't care about this,
or their development timeline is paced so ridiculously short that they
don't have time to deal with it. Most of the time it's one of the first
two. In the third case, I've had to show clients numerous times how easy
it is to get into supposedly secure web applications, just to show how
important it is to get it right. You would be surprised how little
difficulty you encounter when trying to gain access to supposedly secure
web systems because of attitudes like it comes from POST, therefore it's
more secure.
Not trying to pick on you, Simon and Pádraic. :-) But I would actually
PREFER that developers always be aware that their data can come from
anywhere, just so they stay paranoid.
-Matt
On Thu, March 22, 2007 3:36 am, Pádraic Brady wrote:
In agree with you Simon - if we have too many sources for input
variables, some of which check varying sources in priority it's just
another $_REQUEST situation where these values could conceivably come
from anywhere. It's better practice to use a method which selects
values from a known source on the basis if it comes from anywhere else
unexpectedly it should ring a few alarm bells for the developer. I'd
actually call it first line filtering/validation - if we know a value
should be received via POST then if the same value is retrievable from
GET it should be ignored unless it's for a valid reason.
Pádraic Brady
http://blog.astrumfutura.com
http://www.patternsforphp.com
- Original Message
From: Simon R Jones [EMAIL PROTECTED]
To: Zend Mailing List fw-general@lists.zend.com
Sent: Thursday, March 22, 2007 8:13:19 AM
Subject: RE: [fw-general] Zend_Filter_Input...
You can use $this-_getParam('key', 'default'); in a Controller,
because
_getParam() use the Request-getParam() method, which tries first to
load the param from the url, then from $_GET and after this from
$_POST.
If $this-_getParam() looks at the URL, GET and POST isn't it a
potential
security issue to use it for POST variables since you don't know exactly
where your input variables are coming from?
Seems rather similar to $_REQUEST to me which should also be avoided for
similar
Re: [fw-general] Zend_Filter_Input...
Waldemar Schott wrote:
Hi Adam,
ZF has now two components called Zend_Filter_* and Zend_Validate_* for
this. But IMO it's quite harder compared too Zend_Filter_Input. Maybe
there will be something similar to Zend_Filter_Input after the 1.0
Release. Furthermore the class Zend is deprecated.
So there is no Zend way to get a variable without calling isset()
anymore by now with E_ALL - right?
I have to do a
if(isset($_POST['foo'])) {
$Filter = new Zend_Filter_Alnum();
$Filter-filter($_POST['foo'])
}
Is this right or do I miss something?
--
Daniel Khan
Re: [fw-general] Zend_Filter_Input...
Hi,
I don't understand why it was removed. Instead of writing
Zend_Loader::loadClass('Zend_Filter_Input');
$input = new Zend_Filter_Input($this-_getAllParams());
$id = $input-getDigits('id');
$name = $input-getAlpha('name');
$login = $input-getAlnum('login');
I have to use
Zend_Loader::loadClass('Zend_Filter_Digits');
Zend_Loader::loadClass('Zend_Filter_Alpha');
Zend_Loader::loadClass('Zend_Filter_Alnum');
$id = Zend_Filter_Digits::filter($this-_getParam('id'));
$name = Zend_Filter_Alpha::filter($this-_getParam('name'));
$login = Zend_Filter_Alnum::filter($this-_getParam('login'));
Where is the improvement?
We use a central module_Controllers_Action extends
Zend_Controller_Action, in its init-function we just called
$this-input = new Zend_Filter_Input($this-_getAllParams());
and we had access to the Filter in every Controller.
I guess I will just copy the functions of Zend_Filter_Input to a own
class :)
cya, Alex
Jason Qi schrieb:
Please to see Rob's Goodbye Zend.php
http://akrabat.com/
Hope it helps
Jason.
*/Adam Balgach [EMAIL PROTECTED]/* wrote:
All,
How does the functionality change from .8 - .9 for
Zend_Filter_Input...
I was using something like:
Zend::register('post', new Zend_Filter_Input($_POST, false));
Zend::register('get', new Zend_Filter_Input($_GET, false));
but i see this class has gone away...
TV dinner still cooling?
Check out Tonight's Picks
http://us.rd.yahoo.com/evt=49979/*http://tv.yahoo.com/ on Yahoo! TV.
RE: [fw-general] Zend_Filter_Input / accessing $_POST
Thanks for the speedy reply Tony best wishes, Simon
Re: [fw-general] Zend_Filter_Input...
so this functionality has gone away for good ?
On 3/18/07, Jason Qi [EMAIL PROTECTED] wrote:
Please to see Rob's Goodbye Zend.php
http://akrabat.com/
Hope it helps
Jason.
*Adam Balgach [EMAIL PROTECTED]* wrote:
All,
How does the functionality change from .8 - .9 for Zend_Filter_Input...
I was using something like:
Zend::register('post', new Zend_Filter_Input($_POST, false));
Zend::register('get', new Zend_Filter_Input($_GET, false));
but i see this class has gone away...
--
TV dinner still cooling?
Check out Tonight's
Pickshttp://us.rd.yahoo.com/evt=49979/*http://tv.yahoo.com/on Yahoo! TV.
Re: [fw-general] Zend_Filter_Input...
Bill once said that until 1.0, everything could be changed. If you use ZF for
your real product, it is better to do the final check after 1.0
Adam Balgach [EMAIL PROTECTED] wrote: so this functionality has gone away for
good ?
On 3/18/07, Jason Qi [EMAIL PROTECTED] wrote: Please to see Rob's Goodbye
Zend.php
http://akrabat.com/
Hope it helps
Jason.
Adam Balgach [EMAIL PROTECTED] wrote: All,
How does the functionality change from .8 - .9 for Zend_Filter_Input...
I was using something like:
Zend::register('post', new Zend_Filter_Input($_POST, false));
Zend::register('get', new Zend_Filter_Input($_GET, false));
but i see this class has gone away...
-
TV dinner still cooling?
Check out Tonight's Picks on Yahoo! TV.
-
Don't be flakey. Get Yahoo! Mail for Mobile and
always stay connected to friends.
Re: [fw-general] Zend_Filter_Input...
Hi Adam,
ZF has now two components called Zend_Filter_* and Zend_Validate_* for
this. But IMO it's quite harder compared too Zend_Filter_Input. Maybe
there will be something similar to Zend_Filter_Input after the 1.0
Release. Furthermore the class Zend is deprecated.
Adam Balgach schrieb:
All,
How does the functionality change from .8 - .9 for Zend_Filter_Input...
I was using something like:
Zend::register('post', new Zend_Filter_Input($_POST, false));
Zend::register('get', new Zend_Filter_Input($_GET, false));
but i see this class has gone away...
signature.asc
Description: OpenPGP digital signature
Re: [fw-general] Zend_Filter_Input
Chris Shiflett wrote: Matthew Ratzloff wrote: I think all functions should begin with a verb, but isSet seems more natural than isKey in this situation, since the array is a product of how PHP handles POST data, not inherent in the HTML itself. You make a good argument. :-) The isSet() name seems good. Also, maps to isset() in people's minds, so works for me as it's one less difference to remember. Implementing __isset() might be handy too. Regards, Rob...
Re: [fw-general] Zend_Filter_Input
Craig Slusher wrote:
I use Zend_Filter_Input to process my $_POST data. If I want to
find out if a certain button was clicked, what is the best way
to check?
if ($post-getRaw('btnSave') !== false) { ... }
Is this the correct way to check for button clicks?
I think you're asking how to tell if a key exists. If so, there is a
method called keyExists() that will perform this check for you.
On a related note, I wish this method were named something like isKey()
to better conform to the existing naming convention. I've been hesitant
to enter this as a bug, but perhaps others agree.
(I think the strict naming convention is one of the benefits of using ZF
for this stuff.)
Chris
Re: [fw-general] Zend_Filter_Input
If there are inconsistencies in ZF APIs, whether order of parameters for
similar functions, or naming inconsistencies between similar functions,
I consider these issues as bugs. the same as violations of the ZF Coding
Standard.
If a JIRA issue lists the snippets of ZF classes and code that are
inconsistent, then the issue will probably be resolved sooner.
Cheers,
Gavin
Chris Shiflett wrote:
Craig Slusher wrote:
I use Zend_Filter_Input to process my $_POST data. If I want to
find out if a certain button was clicked, what is the best way
to check?
if ($post-getRaw('btnSave') !== false) { ... }
Is this the correct way to check for button clicks?
I think you're asking how to tell if a key exists. If so, there is a
method called keyExists() that will perform this check for you.
On a related note, I wish this method were named something like isKey()
to better conform to the existing naming convention. I've been hesitant
to enter this as a bug, but perhaps others agree.
(I think the strict naming convention is one of the benefits of using ZF
for this stuff.)
Chris
Re: [fw-general] Zend_Filter_Input
Oh, of course. I completely missed that function. I think all functions should begin with a verb, but isSet seems more natural than isKey in this situation, since the array is a product of how PHP handles POST data, not inherent in the HTML itself. For example, if you were coming off of only knowing PHP with register_globals, you wouldn't think of variables as being keys in an array. The function name would describe the implementation, not the data itself. If I can continue to be pedantic for a moment, noTags and noPath aren't good function names either. They should be removeTags and removePath or something similar. -Matt - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: Craig Slusher [EMAIL PROTECTED] Cc: Zend Framework General fw-general@lists.zend.com Sent: Monday, October 02, 2006 9:21 AM Subject: Re: [fw-general] Zend_Filter_Input I think you're asking how to tell if a key exists. If so, there is a method called keyExists() that will perform this check for you. On a related note, I wish this method were named something like isKey() to better conform to the existing naming convention. I've been hesitant to enter this as a bug, but perhaps others agree. (I think the strict naming convention is one of the benefits of using ZF for this stuff.)
