RE: [PHP] Passing Form As Argument

2006-04-22 Thread Richard Lynch
On Fri, April 21, 2006 7:09 pm, Nicolas Verhaeghe wrote:
> So far, I have rarely seen people entering fake data into shopping
> carts or
> online forms. Why? Because most people don't have time to waste
> screwing
> around filling online form with junk.

You have been very very very lucky, then.

Because there are a zillion bots out there making all kinds of crazy
POSTs to everybody's forms, trying to abuse our FORMs to:
  send junk email
  post links to on-line casinos and other regionally illegal e-ventures
  post links to pay-per-view and pay-per-click affiliate sites

Those CAPTCHA thingies (where you have to type the letters) are not
just for fun.

It's only a matter of time before CAPTCHA is useless.

Data validation and sanitzation is not just to stop the Good Guys who
make typos, but also the Bad Guys who are attempting to abuse your
site.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Passing Form As Argument

2006-04-21 Thread Nicolas Verhaeghe



On Fri, April 21, 2006 4:56 pm, Nicolas Verhaeghe wrote:
> I have functions which dynamically generate client-side javascript
> validation functions according to the name of the field, its type 
> (text, password, email, drop down, radio button, textarea, and what 
> not).
>
> Same thing server-side.

Allow me to expand on why I think this is (generally) a wrong-headed
approach.

Consider a simple, common example:  The phone number.

Now, if you're doing this the Right Way and restricting only to the
characters known to be valid, then you want only: [0-9]

To be nice to users, maybe you allow '-' and space as well.

Of course, if it's taking international phone numbers, you want to let them
type that leading + sign, but not if it's US-only.

Now, if it's a businees-oriented phone number, you want to allow something
like: 1-800-CALL-ATT because, by god, they paid big money to get the digits
they want and the right to promote/market that 800 number with
alpha-characters in it.

Yet, to be as restrictive as possible for non-business use with home
telephone numbers, you wouldn't want to let that slip by, so you can avoid
more pranksters.

If you look at it carefully, most of your data in most of your applications
*IS* that complicated.

Phone numbers?  See above.

Postal Codes?  US or World?  Zip +4 or not?  Should you not cross-check with
country code and a specific regex, for those countries where you KNOW what
it should be, and you expect many users?

Email address?  Man, you could spend a year trying to get this one right,
and still have it wrong.

So, all-in-all, the "rule" for how to sanitize data, IN MY OPINION, is too
application-specific and too domain-specific to be generalized and maintain
the level of security most programmers and clients would desire, given the
cost/benifit ratios involved for using a pre-packaged sanitizer, or a clear
in-line regex of what is kosher for THIS application and THIS domain.

To drive this home:  If the rule is complicated enough to want a generalized
function to handle it, it's probably complicated enough that you do NOT want
to over-generalize by using a package function, but want to use the RIGHT
regex for that application.

This is just my philosophical position, and I'm NOT the expert.

--

You can always take it to the nth level and end up not verifying everything
but you can prevent most common mistakes.

As far as email address, make sure there is something that looks like
"[EMAIL PROTECTED]".

Same with Zip codes. You can CASS certify it all you want but you'll never
be sure that the address is correct until you send snail mail.

The idea of such client- and server-side verification is to prevent mistakes
that the user could make unwillingly, for instance mixing fields: typing
something else than the email address in that field, without realizing it.

You can force someone to enter data into a field that absolutely needs to be
filled.

So far, I have rarely seen people entering fake data into shopping carts or
online forms. Why? Because most people don't have time to waste screwing
around filling online form with junk.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Passing Form As Argument

2006-04-21 Thread Richard Lynch
On Fri, April 21, 2006 4:56 pm, Nicolas Verhaeghe wrote:
> I have functions which dynamically generate client-side javascript
> validation functions according to the name of the field, its type
> (text,
> password, email, drop down, radio button, textarea, and what not).
>
> Same thing server-side.

Allow me to expand on why I think this is (generally) a wrong-headed
approach.

Consider a simple, common example:  The phone number.

Now, if you're doing this the Right Way and restricting only to the
characters known to be valid, then you want only:
[0-9]

To be nice to users, maybe you allow '-' and space as well.

Of course, if it's taking international phone numbers, you want to let
them type that leading + sign, but not if it's US-only.

Now, if it's a businees-oriented phone number, you want to allow
something like: 1-800-CALL-ATT because, by god, they paid big money to
get the digits they want and the right to promote/market that 800
number with alpha-characters in it.

Yet, to be as restrictive as possible for non-business use with home
telephone numbers, you wouldn't want to let that slip by, so you can
avoid more pranksters.

If you look at it carefully, most of your data in most of your
applications *IS* that complicated.

Phone numbers?  See above.

Postal Codes?  US or World?  Zip +4 or not?  Should you not
cross-check with country code and a specific regex, for those
countries where you KNOW what it should be, and you expect many users?

Email address?  Man, you could spend a year trying to get this one
right, and still have it wrong.

So, all-in-all, the "rule" for how to sanitize data, IN MY OPINION, is
too application-specific and too domain-specific to be generalized and
maintain the level of security most programmers and clients would
desire, given the cost/benifit ratios involved for using a
pre-packaged sanitizer, or a clear in-line regex of what is kosher for
THIS application and THIS domain.

To drive this home:  If the rule is complicated enough to want a
generalized function to handle it, it's probably complicated enough
that you do NOT want to over-generalize by using a package function,
but want to use the RIGHT regex for that application.

This is just my philosophical position, and I'm NOT the expert.

Somebody could show me a whiz-bang pre-packaged sanitizer tomorrow
that had all the flags/cases covered and let me tweak them to my
satisfaction.  The fact that about 1,027 attempts by others to do this
have, so far, failed, doesn't negate that.  I'm not THAT bull-headed.
:-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Passing Form As Argument

2006-04-21 Thread Nicolas Verhaeghe
From: Richard Lynch [mailto:[EMAIL PROTECTED] 
Sent: Friday, April 21, 2006 2:15 PM
To: Nicolas Verhaeghe
Cc: php-general@lists.php.net
Subject: RE: [PHP] Passing Form As Argument


On Fri, April 21, 2006 1:02 am, Nicolas Verhaeghe wrote:
> I'm new to the list so "Hello" to all. I'm drafting a function.php 
> page, which will be included() in the pages in need. How would I pass 
> a form as an argument of a function? From the name parameter of the 
> form element or perhaps an ID:
>
>
> function checkForm(theForm){
>   //Form validation code omitted.

You wouldn't.

See, you probably don't really want to pass every form through the same
validation function, because every form is different.

And every input should have the strictest validation possible for that
input.

So you can't really have a generic checkForm function, any more than you can
turn on your "Security" switch and magically make it safe.

It just plain doesn't work like that.

So your function, for now, should just know what form it is checking because
there is only one form it checks.

---

I have functions which dynamically generate client-side javascript
validation functions according to the name of the field, its type (text,
password, email, drop down, radio button, textarea, and what not).

Same thing server-side.

TIMTOWTDI but I cannot be the only one with the idea.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Passing Form As Argument

2006-04-21 Thread Richard Lynch
On Fri, April 21, 2006 1:02 am, Nicolas Verhaeghe wrote:
> I'm new to the list so "Hello" to all. I'm drafting a function.php
> page, which will be included() in the pages in need. How would I pass
> a form as an argument of a function? From the name parameter of the
> form element or perhaps an ID:
>
>
> function checkForm(theForm){
>   //Form validation code omitted.

You wouldn't.

See, you probably don't really want to pass every form through the
same validation function, because every form is different.

And every input should have the strictest validation possible for that
input.

So you can't really have a generic checkForm function, any more than
you can turn on your "Security" switch and magically make it safe.

It just plain doesn't work like that.

So your function, for now, should just know what form it is checking
because there is only one form it checks.


You might maybe some day want a big framework of standarized input
names and checks can be automated on some standard kinds of inputs. 
But that's a whole different animal from what I'm pretty sure you are
doing today.  And it never works all that well, imho, as there are too
many subtle differences in the needs for data validation.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Passing Form As Argument

2006-04-21 Thread tedd

At 3:46 PM -0700 4/20/06, Chris Kennon wrote:
I'm new to the list so "Hello" to all. I'm drafting a function.php 
page, which will be included() in the pages in need. How would I 
pass a form as an argument of a function? From the name parameter of 
the form element or perhaps an ID:


function checkForm(theForm){
//Form validation code omitted.
}



You can't pass the form, but you can pass the form content, which is 
probably what you want anyway.


If it were me, I would place a form value ($theForm) in each fomr as 
a  hidden variable that would identify which form and I would 
pass that to your checkForm($theFrom) function.


From there, I would set up a switch which would channel your 
validation. The variables to validate, of course, would be in your 
$_POST or $_GET arrays. That should be simple enough.


Also, I seem to recall some caution is needed when using 
user-defined functions?


No more so than any other syntax, just do it right.

tedd

--

http://sperling.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Passing Form As Argument

2006-04-20 Thread Nicolas Verhaeghe


Hi,


I'm new to the list so "Hello" to all. I'm drafting a function.php  
page, which will be included() in the pages in need. How would I pass  
a form as an argument of a function? From the name parameter of the  
form element or perhaps an ID:


function checkForm(theForm){
//Form validation code omitted.




}


Also, I seem to recall some caution is needed when using user-defined  
functions?

--

I always try to do server-side and client-side verification.

Client-side with javascript, server-side with PHP.

The coolness with Client-side verification is that it saves the server's
bandwidth and processing time and if you use a focus function you can place
the cursor to where the first error has been spotted.

The issue here is that someone one day makes a mistake you did not think of.
Or someone hacks the form and recreates an html version locally to just piss
you off and try to fill your database with garbage. Or simply hammer your
site with 1 million times the same flawed form to see what happens.

Hence the need for server-side verification as well.

Another plus is that you can do some more complex verifications in PHP. For
instance comparing the zip code with the state by querying a state/zip code
database.

Or even talk to a credit card processor to make sure that the credit card is
valid and has cash, while all the javascript can do is verify the
plausibility of the credit card number.

I am now "AJAX"ing some of my server-side verifications to make it seem like
it is client-side, the goal here is to save time and bandwidth.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Passing Form As Argument

2006-04-20 Thread Richard Lynch
On Thu, April 20, 2006 5:46 pm, Chris Kennon wrote:
> I'm new to the list so "Hello" to all. I'm drafting a function.php
> page, which will be included() in the pages in need. How would I pass
> a form as an argument of a function? From the name parameter of the
> form element or perhaps an ID:

HTTP does not pass FORM name nor ID attribute.

Mainly because the JavaScript guys tacked on FORM name and ID for
themselves, and nobody else much cared, really...

If you want to, you can always add an INPUT TYPE="HIDDEN"


  
.
.
.


> Also, I seem to recall some caution is needed when using user-defined
> functions?

I believe the above statement is correct in all particulars, but not
very particular. :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Passing Form As Argument

2006-04-20 Thread Paul Novitski

At 03:46 PM 4/20/2006, Chris Kennon wrote:

I'm drafting a function.php
page, which will be included() in the pages in need. How would I pass
a form as an argument of a function?



Unlike client-side JavaScript, server-side PHP doesn't see the 
client-side form.  All PHP sees are the values of form fields 
submitted to the server.  These are contained in either the $_GET 
array or the $_POST array, depending on your form method.


See the PHP documentation:

$_GET:
http://php.net/manual/en/reserved.variables.php#reserved.variables.get

$_POST:
http://php.net/manual/en/reserved.variables.php#reserved.variables.post

Paul 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Passing Form As Argument

2006-04-20 Thread Martin Alterisio
My first answer to your question would be: "no, you can't refer to an html
form in any way in php". My second answer would be, as usual, a question:
"what, exactly, are you trying to do?"

2006/4/20, Chris Kennon <[EMAIL PROTECTED]>:
>
> Hi,
>
>
> I'm new to the list so "Hello" to all. I'm drafting a function.php
> page, which will be included() in the pages in need. How would I pass
> a form as an argument of a function? From the name parameter of the
> form element or perhaps an ID:
>
>
> function checkForm(theForm){
> //Form validation code omitted.
>
>
>
>
> }
>
>
> Also, I seem to recall some caution is needed when using user-defined
> functions?
>
>
>
> "Art is an expression of life and transcends both time and space.
> We must employ our own souls through art to give a
> new form and a new meaning to nature or the world."
>
>   -- Bruce Lee
> _
> Return True,
>
> Christopher Kennon
> Principal/Designer/Programmer -Bushidodeep
> http://bushidodeep.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


[PHP] Passing Form As Argument

2006-04-20 Thread Chris Kennon

Hi,


I'm new to the list so "Hello" to all. I'm drafting a function.php  
page, which will be included() in the pages in need. How would I pass  
a form as an argument of a function? From the name parameter of the  
form element or perhaps an ID:



function checkForm(theForm){
//Form validation code omitted.




}


Also, I seem to recall some caution is needed when using user-defined  
functions?




"Art is an expression of life and transcends both time and space.
We must employ our own souls through art to give a
new form and a new meaning to nature or the world."

 -- Bruce Lee

_
Return True,

Christopher Kennon
Principal/Designer/Programmer -Bushidodeep
http://bushidodeep.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php