RE: [PHP] Re: question regarding form filtering
-Message d'origine- De : Richard Lynch [mailto:[EMAIL PROTECTED] Envoyé : mercredi 14 mars 2007 23:45 À : Tim Cc : 'Haydar Tuna'; php-general@lists.php.net Objet : RE: [PHP] Re: question regarding form filtering On Wed, March 14, 2007 9:07 am, Tim wrote: You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) Hehe, oh? Really? ;-) I suppose you could do a Web 2.0 Ajax-y thingie for that... Not a fan of forcing users to download/use active-x controls.. (accesibility, usability etc..) No, I meant using an XmlHttpRequest to compare their password as they type it in the form with the webster's dictionary up on your server. Dunno if it would be fast enough to do it per keystroke, but perhaps upon leaving the password field. Ok more reading todo then.. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Glad we share this opinion.. Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. Erm gonna have to explain to me what you mean... (easy ones are easy.. Etc.) What I mean is that trying to write Framework for your sanitization routines will lock you into that Framework. So while PCRE is *great* for most sanitization routines, it's not the Right Answer for all of them. But if your framework only does PCRE, you've given up on custom sanitization for an off-the-rack answer, and are using a hammer on a screw sooner or later. The easy ones, like username or email are a one-liner anyway, or a few lines of code at most. The really complex ones like password, probably won't fit into any generic Framework you can build. I think it's better to hand-craft this code on each, rather than trying to generalize it. Ok, i see what you are saying. I have left my class open to new features, its pretty flexible, so i can integrate these features in the near future (or maybe write a validation class that extends the form class for when i need these special validations). This opens up possibilities for both generic/hand-crafted validation. So far i have no public user system (nor the need) so verifying public passwords is not on the work list yet.. I WILL keep that in mind and will experiment with different systems that enable specific validation for certain types of input.. For the time being i am just either using forms to retrieve data from a database (all standard word chars) or putting information into the database from an admin console (again all standard word chars) so PCRE doesthe job just fine and saves me from coding twice php then javascript. If i had more time and less due-dates i would do it, maybe i'll think about it while on vacation? hehe Thanks again Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: question regarding form filtering
I personally would not presume that PHP and JS regex patterns are 100% compatible... Store a separate pattern for each. And, actually, the PHP check might be more involved than the JS check. For example, if the users is making up a password, and this password has access to something that's actually sensitive and worth protecting (money, medical records, private matters)... You should probably have JS and PHP to check that the password is long enough, has mixed alpha and digit, that the password and confirmation match, that neither password nor username contains the other as a substring, etc. But in PHP you'd probably *ALSO* want to check against a database of words (say the one in /usr/share/web2, Webster's 2nd Edition dictionary, now in the public domain) and make sure they did not choose a simple word. You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) I suppose you could do a Web 2.0 Ajax-y thingie for that... At any rate, the validation in JS may not always be exactly the same as in PHP, even if their PCRE patterns are 100% compatible, which I doubt. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. I expect many on this list to disagree with the preceding 2 paragraphs. YMMV On Tue, March 13, 2007 9:36 am, Tim wrote: -Message d'origine- De : Haydar Tuna [mailto:[EMAIL PROTECTED] Envoyé : mardi 13 mars 2007 14:53 À : php-general@lists.php.net Objet : [PHP] Re: question regarding form filtering Hello, You can write some basic functions such as checking length of variable, removing special character, checking number or string, trimming blank lines and so on. And then you can use this functions together and you can write new functions. For example, if you want to check number (such as digit count is 4), you can write like a checknumber($number,$digit). With this function, you can use like length of variable function, removing special character function, checking number or string function and trimming blank lines function together. :) Sure i hear you, have been their and done that in the past. Maybe the situation i am in will help describe why i am going for regular_expressions.. I have made a form generation/(soon to be)validation class with integrated contextual help via javascript info popups. I would like to offer the possibility of javascript validation for those that have it enabled, for obvious pratical reasons being less work load on server if each does his own validation on client-side, and of course server-side validation for security reasons.. Now my forms are made like this: // options array for new form $form_options = array('name' = 'parametres_site', 'aide' = 'Enregistrer les modifications apportés aux coordonées de l\'entreprise', 'bouton'= 'Mettre à jour les paramètres' ); // initialize form class and add new form $form = new formulaire($this-debug_mode,$form_options); // initialize inputs array $input_options = array(); // add an text input with various options based on its type (default values are not listed) $input_options[] = array( 'name' = 'nom', 'type' = 'text', 'maxlength' = '35', 'size' = '35', 'label' = 'Votre nom :',//label 'regexp'= '/^[a-zA-Z1-9_- ]{0,35}$/', //regexp for content filtering 'newline' = 0,//no new line (next input on same line) 'aide' = 'Le nom qui apparaîtra que votre site', //contextual help msg 'erreur'= 'Mauvais caractères dans le nom' //error msg in case bad input based on regexp ); $form-add_inputs($input_options,'parametres_site'); // generate form and if success assign html_form to $content if ($form-generer_formulaire('parametres_site')) { $content = $form-html_forms['parametres_site']; } // echo the form to the page Echo $content; Ok so my reason being for using regexp
RE: [PHP] Re: question regarding form filtering
-Message d'origine- De : Richard Lynch [mailto:[EMAIL PROTECTED] Envoyé : mercredi 14 mars 2007 09:48 À : Tim Cc : 'Haydar Tuna'; php-general@lists.php.net Objet : RE: [PHP] Re: question regarding form filtering I personally would not presume that PHP and JS regex patterns are 100% compatible... Store a separate pattern for each. Fair enough, beats writing a new function for each :) And, actually, the PHP check might be more involved than the JS check. For example, if the users is making up a password, and this password has access to something that's actually sensitive and worth protecting (money, medical records, private matters)... Not yet but maybe future clients ? ;) (archived) You should probably have JS and PHP to check that the password is long enough, has mixed alpha and digit, that the password and confirmation match, that neither password nor username contains the other as a substring, etc. But in PHP you'd probably *ALSO* want to check against a database of words (say the one in /usr/share/web2, Webster's 2nd Edition dictionary, now in the public domain) and make sure they did not choose a simple word. Good idea, sounds like plesk internals here.. I'll most definately keep this in mind when i implent the user management system in the framework.. You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) Hehe, oh? Really? ;-) I suppose you could do a Web 2.0 Ajax-y thingie for that... Not a fan of forcing users to download/use active-x controls.. (accesibility, usability etc..) At any rate, the validation in JS may not always be exactly the same as in PHP, even if their PCRE patterns are 100% compatible, which I doubt. I'll do some experimenting with this.. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Glad we share this opinion.. Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. Erm gonna have to explain to me what you mean... (easy ones are easy.. Etc.) Once again thanks Richard am well on my way now ;) Regards, Tim Programming is a race between people making better and faster programs and the universe making bigger and dumber people. So far the universe is winning -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: question regarding form filtering
On Wed, March 14, 2007 9:07 am, Tim wrote: You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) Hehe, oh? Really? ;-) I suppose you could do a Web 2.0 Ajax-y thingie for that... Not a fan of forcing users to download/use active-x controls.. (accesibility, usability etc..) No, I meant using an XmlHttpRequest to compare their password as they type it in the form with the webster's dictionary up on your server. Dunno if it would be fast enough to do it per keystroke, but perhaps upon leaving the password field. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Glad we share this opinion.. Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. Erm gonna have to explain to me what you mean... (easy ones are easy.. Etc.) What I mean is that trying to write Framework for your sanitization routines will lock you into that Framework. So while PCRE is *great* for most sanitization routines, it's not the Right Answer for all of them. But if your framework only does PCRE, you've given up on custom sanitization for an off-the-rack answer, and are using a hammer on a screw sooner or later. The easy ones, like username or email are a one-liner anyway, or a few lines of code at most. The really complex ones like password, probably won't fit into any generic Framework you can build. I think it's better to hand-craft this code on each, rather than trying to generalize it. YMMV -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: question regarding form filtering
Hello, You can write some basic functions such as checking length of variable, removing special character, checking number or string, trimming blank lines and so on. And then you can use this functions together and you can write new functions. For example, if you want to check number (such as digit count is 4), you can write like a checknumber($number,$digit). With this function, you can use like length of variable function, removing special character function, checking number or string function and trimming blank lines function together. :) -- Haydar TUNA Republic Of Turkey - Ministry of National Education Education Technology Department Ankara / TURKEY Web: http://www.haydartuna.net Tim Earl [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] HI all, Well I have been going through various methods on filtering form data, and the one I never see is filtering form data using regular expressions, (although the html form and validition class by Manuel Lemos does seem to use them) this is the only I could find. I often see lines like (for checking a 4 character number for example): $input_value = html_entities($input_value); If (strval(intval($input_value)) strlen($input_value) == 4) { // do something with validated data (maybe put in valid array or something) } Ok so whats wrong with good ole: If (preg_match('/^[0-9]{4}$/',trim($input_value)) { // do something with validated data (maybe put in valid array or something) } Am I going to get a performance hit if I validate all my fields with regular expressions? As I see it I am only calling one function (ok 2 with the trim()) to validate my form data. Just wondering what you all thought about these different methods, and what approach suits best a given situation.. Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: question regarding form filtering
-Message d'origine- De : Haydar Tuna [mailto:[EMAIL PROTECTED] Envoyé : mardi 13 mars 2007 14:53 À : php-general@lists.php.net Objet : [PHP] Re: question regarding form filtering Hello, You can write some basic functions such as checking length of variable, removing special character, checking number or string, trimming blank lines and so on. And then you can use this functions together and you can write new functions. For example, if you want to check number (such as digit count is 4), you can write like a checknumber($number,$digit). With this function, you can use like length of variable function, removing special character function, checking number or string function and trimming blank lines function together. :) Sure i hear you, have been their and done that in the past. Maybe the situation i am in will help describe why i am going for regular_expressions.. I have made a form generation/(soon to be)validation class with integrated contextual help via javascript info popups. I would like to offer the possibility of javascript validation for those that have it enabled, for obvious pratical reasons being less work load on server if each does his own validation on client-side, and of course server-side validation for security reasons.. Now my forms are made like this: // options array for new form $form_options = array( 'name' = 'parametres_site', 'aide' = 'Enregistrer les modifications apportés aux coordonées de l\'entreprise', 'bouton'= 'Mettre à jour les paramètres' ); // initialize form class and add new form $form = new formulaire($this-debug_mode,$form_options); // initialize inputs array $input_options = array(); // add an text input with various options based on its type (default values are not listed) $input_options[] = array( 'name' = 'nom', 'type' = 'text', 'maxlength' = '35', 'size' = '35', 'label' = 'Votre nom :', //label 'regexp'= '/^[a-zA-Z1-9_- ]{0,35}$/', //regexp for content filtering 'newline' = 0, //no new line (next input on same line) 'aide' = 'Le nom qui apparaîtra que votre site', //contextual help msg 'erreur'= 'Mauvais caractères dans le nom'//error msg in case bad input based on regexp ); $form-add_inputs($input_options,'parametres_site'); // generate form and if success assign html_form to $content if ($form-generer_formulaire('parametres_site')) { $content = $form-html_forms['parametres_site']; } // echo the form to the page Echo $content; Ok so my reason being for using regexp is that by defining a regexp my class can also use this regexp to generate the javascript needed to validate the each form on the page as opposed to writing the same functions in both php and javascript (class permits unlimited number of forms on one page). My process would be: 1. Display blank form (generate javascript necessary for client-side form validation using regexp) 2. Submit form to javascript filtering 3. If JS filter success then send to php filtering 4. Stock all temporary inputs in $formvars array 5. Match each $formvars against regexp 6. Do something with validated data My goal is to make this general and not have to write a function for each type of input, am happier writing a short regexp for each input than writing a new function for each typei could come across... NOW, my original question is why should I or should not use regexp?? Is their a performance hit or not? Why do i not see anyone just using regexp instead of going through htmlentities() stripslashes() striptags(), i mean, if the regexp doesnt validate it then its wrong.. Period.. User friendliness maybe? Try to make it easier for the person filling the form? Am stumped, can't seem to find the real reason... Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php