php-general Digest 30 Sep 2006 09:29:28 -0000 Issue 4376
Topics (messages 242408 through 242417):
Automagically using Pecl Filter for user input
242408 by: Graham Anderson
Re: class usage
242409 by: benifactor
Re: mysql_real_escape_string() question
242410 by: tedd
242412 by: Chris Shiflett
Re: Filter MS Word Garbage
242411 by: Chris Shiflett
How to effectuate translations
242413 by: AR
242414 by: Rafael Mora
Rapid application development
242415 by: Ahmad Al-Twaijiry
242416 by: Peter Lauri
moving file from one server to another
242417 by: Nick Wilson
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
How can I use PECL Filter to 'automagically' filter user input ?
I DO understand calling the PECL filter directly in a PHP script like
so:
<?php
$clean = array();
$clean['name'] = input_get(INPUT_POST, 'name', FL_REGEXP, array
('regexp' => '^[\w ]+$'));
$clean['age'] = input_get(INPUT_POST, 'age', FL_INT);
$clean['email'] = input_get(INPUT_POST, 'email', FL_EMAIL);
$clean['list'] = input_get(INPUT_POST, 'list', FL_BOOLEAN);
?>
But where does 'automagically' come into play?
Does 'automagically' mean preconfiguring the filter to run from
configuration script like php.ini ?
I am referencing a Rasmus article.
http://toys.lerdorf.com/index.php?url=archives/38-The-no-framework-
PHP-MVC-framework.html&serendipity[csuccess]=moderate#feedback
many thanks
--- End Message ---
--- Begin Message ---
thank you all for your input, and thank you richard for breaking that down
nice and slow for me :) uhh, that was just me trying to see how a class
works, and is by no means a real program and will never be. just as i was
coding my first class i confused myself thinking that i could do the same
stuff without classes and such... however i need to make trivial useless
scripts to learn before i come across the need to use real classes and
objects to avoid ending up lost and begging the list for help. any other
comments would also be appreciated... thanks again.
----- Original Message -----
From: "Richard Lynch" <[EMAIL PROTECTED]>
To: "benifactor" <[EMAIL PROTECTED]>
Cc: "php" <[email protected]>
Sent: Friday, September 29, 2006 9:07 AM
Subject: Re: [PHP] class usage
> On Fri, September 29, 2006 4:35 am, benifactor wrote:
> > ..and this seems to work fine, i could easily add the mail function
> > and insert real variables into send() but what i don't understand is i
> > could also easily do this without a class... so i guess the real
> > question is what are some real life examples of class usage and why is
> > it used as opposed to regular non oop? thank you for any input into
> > the subject that you may have.
>
> For something that small, using a class is ridiculous, bloated,
> over-engineered pointless exercise.
>
> Rather than type "ridiculous, bloated, over-engineered pointless
> exercise" in this email again, I'll simply dub that "Wrong Answer" and
> type that a lot.
>
> In fact, for almost *ANY* small/simple problem OOP is the "Wrong Answer".
>
> OOP shines, however, in some large-scale usage:
>
> #1. One architect, many developers
> If you have ONE project architect cleanly map out a Plan in the form
> of a large class structure, with a clear and clean internal API, and a
> bunch of junior programmers to fill in the details, the Architect can
> use OOP with stub functions, just like you wrote above, to build the
> framework, and the junior programmers can fill in all the stubs.
>
> #2 Real-world parallels
> Sometimes when modeling real-world parallels (or even Virtual World
> parallels like game prototyping, windowing systems, etc) having OOP
> leads to a very natural readable maintainable code-base, as the
> operations and variables and the interaction between them mirrors to a
> large extent the operation and interaction between their real-world
> counterparts.
>
> The biggest problem in OOP, in my experience, is that you have many
> developers, like yourself, who begin using OOP solely because they are
> told that "it's better"
>
> Many of these developers then go on to write *BAD* OOP code, for all
> the wrong reasons, in all the wrong places, to solve trivial problems
> with the "Wrong Answer".
>
> Many of these developers continue to use the "Wrong Answer" over and
> over, and never actually utilize any of the strengths of OOP, but
> instead train themselves to misapply OOP. Their code "works" it's
> just oftentimes the "Wrong Answer"
>
> Unfortunately, learning to use OOP correctly is a long-term process,
> and you have to do a bunch of trivial things with the "Wrong Answer"
> just to figure out how it works -- Which means you really should re-do
> them as non OOP, or be doing them solely as a means of learning and
> not throwing them into Production.
>
> Alas, this is not how 99% of OOP code in Production ends up in
> Production... All too often, it's the "Wrong Answer" that gets thrown
> into Production.
>
> This is not meant as a "dis" of the great OOP code out there. I've
> seen some very very very nice OOP systems in the past -- in Lisp, to
> solve large-scale problems.
>
> In PHP, to spit out a web page in under 1.7 seconds, not so much. :-)
>
> I'm sure somebody out there has a GREAT PHP web application with a
> complex backend all in OOP. So far, all I've seen is "Wrong Answer".
>
> YMMV
>
> --
> Like Music?
> http://l-i-e.com/artists.htm
>
>
--- End Message ---
--- Begin Message ---
At 11:41 AM -0500 9/29/06, Richard Lynch wrote:
On Thu, September 28, 2006 2:06 pm, tedd wrote:
I realize that you are not asking for an answer, but for a guide --
however -- isn't the real problem here simply one of injection? Just
stop the user from injecting stuff in the subject and that would fix
it right? Or, am I underestimating the problem?
Underestimating.
Stopping header injection is only one step of a potential world of
problems.
Consider that the user could provide *ANY* string, of any size, of any
composition, for their "Subject"
Maybe they POST a worm in Subject, and it has no newlines, but still
manages to propogate through Outlook.
Then limiting the number of "characters" allowed would provide a
degree of security. Worms take some amount of space and reducing that
allotment makes it harder to create one.
I know nada about Unicode, uuencode, and all that crap.
Unicode is nothing more that an expanded ASCII (I'll get flamed for
that statement).
But, Unicode is simply extending the 7-bit ASCII problem to 8-bit so
that more code-points (characters) can be added for global
communications. If you understand ASCII, then you have the basics for
Unicode.
So with all these potential issues, I'm wondering if there isn't a
more systemic approach to this.
Identify the problem. One of the axioms in security programming is
something like "Don't program for things that might be, but rather
for things that are known." I think Shiflett said something to that
affect in his book.
If you can show me the minimum size for a worm, then setting the
character limit in a subject line would protect from that -- but --
are worms, or other evil code, transmitted by subject lines?
#2. The docs, wonderful as they are, don't really lay out something as
fundamental as the right escape function for situation X, because you
need a degree in CS just to "know" that X is really a Y so the right
function is Z.
Degrees are overrated -- I have plenty of them and I'm still asking
questions. Just give me someone who knows WTF their doing, and that's
fine with me. IMO, technology is moving too fast for colleges to keep
up. It's the people on the bleeding edge that are innovation, not the
ones in the classroom.
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
Richard Lynch wrote:
> Though I confess, I'm sometimes at a loss how to properly escape
> certain data for certain situations...
>
> Here's an example:
> Take the Subject of an email.
>
> Sure, I've sanitized it to be sure there are no newlines for header
> injection.
>
> But now how do I properly escape it to be sure it's a kosher email
> subject?
>
> Where's the PHP function smtp_escape()?
Some contexts don't require/support escaping. It's a bummer in the sense
that it places more responsibility on your filtering, but that's about it.
In several cases, ctype_print() can be used as a nice defense in depth
mechanism to make sure there are no newlines or carriage returns (or
anything else that isn't printable).
> I'm looking for a guide, a chart, a grid, an organized systemic
> documentation of what data should be escaped how as it travels
> through the "glue" that is PHP...
That's a great idea. Want to write it? :-) I'd be happy to help.
Chris
--
Chris Shiflett
http://shiflett.org/
--- End Message ---
--- Begin Message ---
Kevin Murphy wrote:
> I keep getting garbage characters in there, usually
> associated with Smart Quotes.
This might be helpful:
http://shiflett.org/archive/165
Chris
--
Chris Shiflett
http://shiflett.org/
--- End Message ---
--- Begin Message ---
Hi,
I'm coding this software that has several files for several languages,
so that users can chose the one that suits him.
My question is what is the best way to integrate this in the PHP code,
i. e., to make it work.
Any help would be appreciated.
Warm regards,
Augusto Reis
--- End Message ---
--- Begin Message ---
Hi!, well u can write ur messages in differents files, and like a make a
class where u can put a method like getMessage($_type), this class could
contains the language already selected, and just load the messages for that
language in a "array"(or another easy to use PHP data structure).
What do you think??
I know nothing about this, but I hope this help u
Rafa
On 9/29/06, AR <[EMAIL PROTECTED]> wrote:
Hi,
I'm coding this software that has several files for several languages,
so that users can chose the one that suits him.
My question is what is the best way to integrate this in the PHP code,
i. e., to make it work.
Any help would be appreciated.
Warm regards,
Augusto Reis
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hi Everyone,
I need your feedback in this
What is the best RAD (Rapid application development) do you use for
PHP to develop an *advance* application in few days or weeks ?
I like programming but one this that I hate is the first stage of
programming when you start creating the basic code (db connection,
interface, insert,update,....etc), this is why I'm looking for a good
RAD tool that can speed up my programming.
--
Ahmad Fahad AlTwaijiry
--- End Message ---
--- Begin Message ---
Why don't you reuse the basic code from your old projects? Then you don't
need to worry about this :) (OOP)
-----Original Message-----
From: Ahmad Al-Twaijiry [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 30, 2006 12:45 PM
To: PHP
Subject: [PHP] Rapid application development
Hi Everyone,
I need your feedback in this
What is the best RAD (Rapid application development) do you use for
PHP to develop an *advance* application in few days or weeks ?
I like programming but one this that I hate is the first stage of
programming when you start creating the basic code (db connection,
interface, insert,update,....etc), this is why I'm looking for a good
RAD tool that can speed up my programming.
--
Ahmad Fahad AlTwaijiry
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
hi,
i have thttpd (a very light weight http server) running as an image
server on one box, and users uploading images to another php/apache
powered box.
I need to let users upload to the regular LAMP box, but then copy the
image over to the custom image server (which does not have php or any
kind of cgi capability).
I was considering using exec() and scp to do this, but thought i'd ask
and see if anyone had any better suggestions?
many thanks
--
Nick Wilson
http://performancing.com/user/1
--- End Message ---
