RE: [PHP] Passing Form As Argument
On Fri, April 21, 2006 7:09 pm, Nicolas Verhaeghe wrote: > So far, I have rarely seen people entering fake data into shopping > carts or > online forms. Why? Because most people don't have time to waste > screwing > around filling online form with junk. You have been very very very lucky, then. Because there are a zillion bots out there making all kinds of crazy POSTs to everybody's forms, trying to abuse our FORMs to: send junk email post links to on-line casinos and other regionally illegal e-ventures post links to pay-per-view and pay-per-click affiliate sites Those CAPTCHA thingies (where you have to type the letters) are not just for fun. It's only a matter of time before CAPTCHA is useless. Data validation and sanitzation is not just to stop the Good Guys who make typos, but also the Bad Guys who are attempting to abuse your site. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passing Form As Argument
On Fri, April 21, 2006 4:56 pm, Nicolas Verhaeghe wrote: > I have functions which dynamically generate client-side javascript > validation functions according to the name of the field, its type > (text, password, email, drop down, radio button, textarea, and what > not). > > Same thing server-side. Allow me to expand on why I think this is (generally) a wrong-headed approach. Consider a simple, common example: The phone number. Now, if you're doing this the Right Way and restricting only to the characters known to be valid, then you want only: [0-9] To be nice to users, maybe you allow '-' and space as well. Of course, if it's taking international phone numbers, you want to let them type that leading + sign, but not if it's US-only. Now, if it's a businees-oriented phone number, you want to allow something like: 1-800-CALL-ATT because, by god, they paid big money to get the digits they want and the right to promote/market that 800 number with alpha-characters in it. Yet, to be as restrictive as possible for non-business use with home telephone numbers, you wouldn't want to let that slip by, so you can avoid more pranksters. If you look at it carefully, most of your data in most of your applications *IS* that complicated. Phone numbers? See above. Postal Codes? US or World? Zip +4 or not? Should you not cross-check with country code and a specific regex, for those countries where you KNOW what it should be, and you expect many users? Email address? Man, you could spend a year trying to get this one right, and still have it wrong. So, all-in-all, the "rule" for how to sanitize data, IN MY OPINION, is too application-specific and too domain-specific to be generalized and maintain the level of security most programmers and clients would desire, given the cost/benifit ratios involved for using a pre-packaged sanitizer, or a clear in-line regex of what is kosher for THIS application and THIS domain. To drive this home: If the rule is complicated enough to want a generalized function to handle it, it's probably complicated enough that you do NOT want to over-generalize by using a package function, but want to use the RIGHT regex for that application. This is just my philosophical position, and I'm NOT the expert. -- You can always take it to the nth level and end up not verifying everything but you can prevent most common mistakes. As far as email address, make sure there is something that looks like "[EMAIL PROTECTED]". Same with Zip codes. You can CASS certify it all you want but you'll never be sure that the address is correct until you send snail mail. The idea of such client- and server-side verification is to prevent mistakes that the user could make unwillingly, for instance mixing fields: typing something else than the email address in that field, without realizing it. You can force someone to enter data into a field that absolutely needs to be filled. So far, I have rarely seen people entering fake data into shopping carts or online forms. Why? Because most people don't have time to waste screwing around filling online form with junk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passing Form As Argument
On Fri, April 21, 2006 4:56 pm, Nicolas Verhaeghe wrote: > I have functions which dynamically generate client-side javascript > validation functions according to the name of the field, its type > (text, > password, email, drop down, radio button, textarea, and what not). > > Same thing server-side. Allow me to expand on why I think this is (generally) a wrong-headed approach. Consider a simple, common example: The phone number. Now, if you're doing this the Right Way and restricting only to the characters known to be valid, then you want only: [0-9] To be nice to users, maybe you allow '-' and space as well. Of course, if it's taking international phone numbers, you want to let them type that leading + sign, but not if it's US-only. Now, if it's a businees-oriented phone number, you want to allow something like: 1-800-CALL-ATT because, by god, they paid big money to get the digits they want and the right to promote/market that 800 number with alpha-characters in it. Yet, to be as restrictive as possible for non-business use with home telephone numbers, you wouldn't want to let that slip by, so you can avoid more pranksters. If you look at it carefully, most of your data in most of your applications *IS* that complicated. Phone numbers? See above. Postal Codes? US or World? Zip +4 or not? Should you not cross-check with country code and a specific regex, for those countries where you KNOW what it should be, and you expect many users? Email address? Man, you could spend a year trying to get this one right, and still have it wrong. So, all-in-all, the "rule" for how to sanitize data, IN MY OPINION, is too application-specific and too domain-specific to be generalized and maintain the level of security most programmers and clients would desire, given the cost/benifit ratios involved for using a pre-packaged sanitizer, or a clear in-line regex of what is kosher for THIS application and THIS domain. To drive this home: If the rule is complicated enough to want a generalized function to handle it, it's probably complicated enough that you do NOT want to over-generalize by using a package function, but want to use the RIGHT regex for that application. This is just my philosophical position, and I'm NOT the expert. Somebody could show me a whiz-bang pre-packaged sanitizer tomorrow that had all the flags/cases covered and let me tweak them to my satisfaction. The fact that about 1,027 attempts by others to do this have, so far, failed, doesn't negate that. I'm not THAT bull-headed. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passing Form As Argument
From: Richard Lynch [mailto:[EMAIL PROTECTED]
Sent: Friday, April 21, 2006 2:15 PM
To: Nicolas Verhaeghe
Cc: php-general@lists.php.net
Subject: RE: [PHP] Passing Form As Argument
On Fri, April 21, 2006 1:02 am, Nicolas Verhaeghe wrote:
> I'm new to the list so "Hello" to all. I'm drafting a function.php
> page, which will be included() in the pages in need. How would I pass
> a form as an argument of a function? From the name parameter of the
> form element or perhaps an ID:
>
>
> function checkForm(theForm){
> //Form validation code omitted.
You wouldn't.
See, you probably don't really want to pass every form through the same
validation function, because every form is different.
And every input should have the strictest validation possible for that
input.
So you can't really have a generic checkForm function, any more than you can
turn on your "Security" switch and magically make it safe.
It just plain doesn't work like that.
So your function, for now, should just know what form it is checking because
there is only one form it checks.
---
I have functions which dynamically generate client-side javascript
validation functions according to the name of the field, its type (text,
password, email, drop down, radio button, textarea, and what not).
Same thing server-side.
TIMTOWTDI but I cannot be the only one with the idea.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passing Form As Argument
On Fri, April 21, 2006 1:02 am, Nicolas Verhaeghe wrote:
> I'm new to the list so "Hello" to all. I'm drafting a function.php
> page, which will be included() in the pages in need. How would I pass
> a form as an argument of a function? From the name parameter of the
> form element or perhaps an ID:
>
>
> function checkForm(theForm){
> //Form validation code omitted.
You wouldn't.
See, you probably don't really want to pass every form through the
same validation function, because every form is different.
And every input should have the strictest validation possible for that
input.
So you can't really have a generic checkForm function, any more than
you can turn on your "Security" switch and magically make it safe.
It just plain doesn't work like that.
So your function, for now, should just know what form it is checking
because there is only one form it checks.
You might maybe some day want a big framework of standarized input
names and checks can be automated on some standard kinds of inputs.
But that's a whole different animal from what I'm pretty sure you are
doing today. And it never works all that well, imho, as there are too
many subtle differences in the needs for data validation.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passing Form As Argument
At 3:46 PM -0700 4/20/06, Chris Kennon wrote:
I'm new to the list so "Hello" to all. I'm drafting a function.php
page, which will be included() in the pages in need. How would I
pass a form as an argument of a function? From the name parameter of
the form element or perhaps an ID:
function checkForm(theForm){
//Form validation code omitted.
}
You can't pass the form, but you can pass the form content, which is
probably what you want anyway.
If it were me, I would place a form value ($theForm) in each fomr as
a hidden variable that would identify which form and I would
pass that to your checkForm($theFrom) function.
From there, I would set up a switch which would channel your
validation. The variables to validate, of course, would be in your
$_POST or $_GET arrays. That should be simple enough.
Also, I seem to recall some caution is needed when using
user-defined functions?
No more so than any other syntax, just do it right.
tedd
--
http://sperling.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passing Form As Argument
Hi,
I'm new to the list so "Hello" to all. I'm drafting a function.php
page, which will be included() in the pages in need. How would I pass
a form as an argument of a function? From the name parameter of the
form element or perhaps an ID:
function checkForm(theForm){
//Form validation code omitted.
}
Also, I seem to recall some caution is needed when using user-defined
functions?
--
I always try to do server-side and client-side verification.
Client-side with javascript, server-side with PHP.
The coolness with Client-side verification is that it saves the server's
bandwidth and processing time and if you use a focus function you can place
the cursor to where the first error has been spotted.
The issue here is that someone one day makes a mistake you did not think of.
Or someone hacks the form and recreates an html version locally to just piss
you off and try to fill your database with garbage. Or simply hammer your
site with 1 million times the same flawed form to see what happens.
Hence the need for server-side verification as well.
Another plus is that you can do some more complex verifications in PHP. For
instance comparing the zip code with the state by querying a state/zip code
database.
Or even talk to a credit card processor to make sure that the credit card is
valid and has cash, while all the javascript can do is verify the
plausibility of the credit card number.
I am now "AJAX"ing some of my server-side verifications to make it seem like
it is client-side, the goal here is to save time and bandwidth.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passing Form As Argument
On Thu, April 20, 2006 5:46 pm, Chris Kennon wrote: > I'm new to the list so "Hello" to all. I'm drafting a function.php > page, which will be included() in the pages in need. How would I pass > a form as an argument of a function? From the name parameter of the > form element or perhaps an ID: HTTP does not pass FORM name nor ID attribute. Mainly because the JavaScript guys tacked on FORM name and ID for themselves, and nobody else much cared, really... If you want to, you can always add an INPUT TYPE="HIDDEN" . . . > Also, I seem to recall some caution is needed when using user-defined > functions? I believe the above statement is correct in all particulars, but not very particular. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passing Form As Argument
At 03:46 PM 4/20/2006, Chris Kennon wrote: I'm drafting a function.php page, which will be included() in the pages in need. How would I pass a form as an argument of a function? Unlike client-side JavaScript, server-side PHP doesn't see the client-side form. All PHP sees are the values of form fields submitted to the server. These are contained in either the $_GET array or the $_POST array, depending on your form method. See the PHP documentation: $_GET: http://php.net/manual/en/reserved.variables.php#reserved.variables.get $_POST: http://php.net/manual/en/reserved.variables.php#reserved.variables.post Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passing Form As Argument
My first answer to your question would be: "no, you can't refer to an html
form in any way in php". My second answer would be, as usual, a question:
"what, exactly, are you trying to do?"
2006/4/20, Chris Kennon <[EMAIL PROTECTED]>:
>
> Hi,
>
>
> I'm new to the list so "Hello" to all. I'm drafting a function.php
> page, which will be included() in the pages in need. How would I pass
> a form as an argument of a function? From the name parameter of the
> form element or perhaps an ID:
>
>
> function checkForm(theForm){
> //Form validation code omitted.
>
>
>
>
> }
>
>
> Also, I seem to recall some caution is needed when using user-defined
> functions?
>
>
>
> "Art is an expression of life and transcends both time and space.
> We must employ our own souls through art to give a
> new form and a new meaning to nature or the world."
>
> -- Bruce Lee
> _
> Return True,
>
> Christopher Kennon
> Principal/Designer/Programmer -Bushidodeep
> http://bushidodeep.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
[PHP] Passing Form As Argument
Hi,
I'm new to the list so "Hello" to all. I'm drafting a function.php
page, which will be included() in the pages in need. How would I pass
a form as an argument of a function? From the name parameter of the
form element or perhaps an ID:
function checkForm(theForm){
//Form validation code omitted.
}
Also, I seem to recall some caution is needed when using user-defined
functions?
"Art is an expression of life and transcends both time and space.
We must employ our own souls through art to give a
new form and a new meaning to nature or the world."
-- Bruce Lee
_
Return True,
Christopher Kennon
Principal/Designer/Programmer -Bushidodeep
http://bushidodeep.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
