On 7/29/13 3:02 PM, Paul M Foster wrote:
On Mon, Jul 29, 2013 at 11:50:01AM -0500, Larry Garfield wrote:
On 7/28/13 9:23 PM, Paul M Foster wrote:
On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote:
[snip]
Except as noted above. This is all home-grown, using native PHP
functions designed to do these things, and classes I've written. I
carefully examine each field when writing the POST-handling code with
the idea in mind that no matter what the HTML says, the return value
must conform to what *I* think it should be. No MVC framework written by
others (though I do conform to MVC paradigm).
Paul
Then you're not writing your own form tags from the sound of it;
you're writing your own Form API. Still an improvements. :-)
No, I'm writing the form tags as well. I write the whole thing, soup to
nuts. But as I'm writing the back end validation stuff, I realize that
what I wrote in the HTML doesn't matter when it comes to hackers and
script kiddies. So I use my bless and validation libraries to tackle
form responses. That's the point I'm making. I understand what you're
saying about using someone else's framework so you can make sure that
tested code is being used to ensure against hacking attempts. But your
pronouncement was so thunderous that I had to provide the exception. If
you hang around here and read a book or two on security, you can write
your own code that handles this stuff. Particularly if you have an
example like CodeIgniter to use, to see how it's done.
(There are times when I *don't* write the HTML. My wife the designer
does. But I still go in and modify it to provide the validation bits
which she can't do. She uses Dreamweaver, so a lot of the time, she
doesn't even know what the raw HTML looks like.)
Paul
So you're writing your own form tags for each specific time you need a
form, or you wrote your own form builder API that is writing the form
tags for you?
Because if the former, I claim it's insecure. The development process
is insecure, so you will screw up sooner or later. You're only human.
--Larry Garfield
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
