RE: [PHP] Re: question regarding form filtering
-Message d'origine- De : Richard Lynch [mailto:[EMAIL PROTECTED] Envoyé : mercredi 14 mars 2007 23:45 À : Tim Cc : 'Haydar Tuna'; php-general@lists.php.net Objet : RE: [PHP] Re: question regarding form filtering On Wed, March 14, 2007 9:07 am, Tim wrote: You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) Hehe, oh? Really? ;-) I suppose you could do a Web 2.0 Ajax-y thingie for that... Not a fan of forcing users to download/use active-x controls.. (accesibility, usability etc..) No, I meant using an XmlHttpRequest to compare their password as they type it in the form with the webster's dictionary up on your server. Dunno if it would be fast enough to do it per keystroke, but perhaps upon leaving the password field. Ok more reading todo then.. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Glad we share this opinion.. Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. Erm gonna have to explain to me what you mean... (easy ones are easy.. Etc.) What I mean is that trying to write Framework for your sanitization routines will lock you into that Framework. So while PCRE is *great* for most sanitization routines, it's not the Right Answer for all of them. But if your framework only does PCRE, you've given up on custom sanitization for an off-the-rack answer, and are using a hammer on a screw sooner or later. The easy ones, like username or email are a one-liner anyway, or a few lines of code at most. The really complex ones like password, probably won't fit into any generic Framework you can build. I think it's better to hand-craft this code on each, rather than trying to generalize it. Ok, i see what you are saying. I have left my class open to new features, its pretty flexible, so i can integrate these features in the near future (or maybe write a validation class that extends the form class for when i need these special validations). This opens up possibilities for both generic/hand-crafted validation. So far i have no public user system (nor the need) so verifying public passwords is not on the work list yet.. I WILL keep that in mind and will experiment with different systems that enable specific validation for certain types of input.. For the time being i am just either using forms to retrieve data from a database (all standard word chars) or putting information into the database from an admin console (again all standard word chars) so PCRE doesthe job just fine and saves me from coding twice php then javascript. If i had more time and less due-dates i would do it, maybe i'll think about it while on vacation? hehe Thanks again Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: question regarding form filtering
I personally would not presume that PHP and JS regex patterns are 100%
compatible...
Store a separate pattern for each.
And, actually, the PHP check might be more involved than the JS check.
For example, if the users is making up a password, and this password
has access to something that's actually sensitive and worth protecting
(money, medical records, private matters)...
You should probably have JS and PHP to check that the password is long
enough, has mixed alpha and digit, that the password and confirmation
match, that neither password nor username contains the other as a
substring, etc.
But in PHP you'd probably *ALSO* want to check against a database of
words (say the one in /usr/share/web2, Webster's 2nd Edition
dictionary, now in the public domain) and make sure they did not
choose a simple word.
You almost for sure do *NOT* want to attempt to send the entire
Webster's 2nd Edition dictionary to the browser as JS data so that the
JS can check. :-)
I suppose you could do a Web 2.0 Ajax-y thingie for that...
At any rate, the validation in JS may not always be exactly the same
as in PHP, even if their PCRE patterns are 100% compatible, which I
doubt.
For anything that really matters, your sanitation probably ought to be
custom-tailored rather than off-the-rack anyway...
Plus, the easy ones are easy, and the framework probably won't handle
the hard ones, so what's the point of the clutter of the framework?
So I personally wouldn't even go down this road.
I expect many on this list to disagree with the preceding 2 paragraphs.
YMMV
On Tue, March 13, 2007 9:36 am, Tim wrote:
-Message d'origine-
De : Haydar Tuna [mailto:[EMAIL PROTECTED]
Envoyé : mardi 13 mars 2007 14:53
À : php-general@lists.php.net
Objet : [PHP] Re: question regarding form filtering
Hello,
You can write some basic functions such as checking
length of variable, removing special character, checking
number or string, trimming blank lines and so on. And then
you can use this functions together and you can write new
functions. For example, if you want to check number (such as
digit count is 4), you can write like a
checknumber($number,$digit). With this function, you can use
like length of variable function, removing special character
function, checking number or string function and trimming
blank lines function together. :)
Sure i hear you, have been their and done that in the past.
Maybe the situation i am in will help describe why i am going for
regular_expressions..
I have made a form generation/(soon to be)validation class with
integrated
contextual help via javascript info popups. I would like to offer the
possibility of javascript validation for those that have it enabled,
for
obvious pratical reasons being less work load on server if each does
his own
validation on client-side, and of course server-side validation for
security
reasons.. Now my forms are made like this:
// options array for new form
$form_options = array('name' = 'parametres_site',
'aide' = 'Enregistrer les
modifications apportés aux coordonées de l\'entreprise',
'bouton'= 'Mettre à
jour les paramètres'
);
// initialize form class and add new form
$form = new formulaire($this-debug_mode,$form_options);
// initialize inputs array
$input_options = array();
// add an text input with various options based on its type (default
values
are not listed)
$input_options[] = array( 'name' = 'nom',
'type' = 'text',
'maxlength' = '35',
'size' = '35',
'label' =
'Votre nom :',//label
'regexp'=
'/^[a-zA-Z1-9_- ]{0,35}$/', //regexp for content
filtering
'newline' =
0,//no new
line (next input on same line)
'aide' = 'Le nom
qui apparaîtra que votre site', //contextual help msg
'erreur'=
'Mauvais caractères dans le nom' //error msg in case
bad input based on regexp
);
$form-add_inputs($input_options,'parametres_site');
// generate form and if success assign html_form to $content
if ($form-generer_formulaire('parametres_site')) {
$content = $form-html_forms['parametres_site'];
}
// echo the form to the page
Echo $content;
Ok so my reason being for using regexp is
RE: [PHP] Re: question regarding form filtering
-Message d'origine- De : Richard Lynch [mailto:[EMAIL PROTECTED] Envoyé : mercredi 14 mars 2007 09:48 À : Tim Cc : 'Haydar Tuna'; php-general@lists.php.net Objet : RE: [PHP] Re: question regarding form filtering I personally would not presume that PHP and JS regex patterns are 100% compatible... Store a separate pattern for each. Fair enough, beats writing a new function for each :) And, actually, the PHP check might be more involved than the JS check. For example, if the users is making up a password, and this password has access to something that's actually sensitive and worth protecting (money, medical records, private matters)... Not yet but maybe future clients ? ;) (archived) You should probably have JS and PHP to check that the password is long enough, has mixed alpha and digit, that the password and confirmation match, that neither password nor username contains the other as a substring, etc. But in PHP you'd probably *ALSO* want to check against a database of words (say the one in /usr/share/web2, Webster's 2nd Edition dictionary, now in the public domain) and make sure they did not choose a simple word. Good idea, sounds like plesk internals here.. I'll most definately keep this in mind when i implent the user management system in the framework.. You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) Hehe, oh? Really? ;-) I suppose you could do a Web 2.0 Ajax-y thingie for that... Not a fan of forcing users to download/use active-x controls.. (accesibility, usability etc..) At any rate, the validation in JS may not always be exactly the same as in PHP, even if their PCRE patterns are 100% compatible, which I doubt. I'll do some experimenting with this.. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Glad we share this opinion.. Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. Erm gonna have to explain to me what you mean... (easy ones are easy.. Etc.) Once again thanks Richard am well on my way now ;) Regards, Tim Programming is a race between people making better and faster programs and the universe making bigger and dumber people. So far the universe is winning -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: question regarding form filtering
On Wed, March 14, 2007 9:07 am, Tim wrote: You almost for sure do *NOT* want to attempt to send the entire Webster's 2nd Edition dictionary to the browser as JS data so that the JS can check. :-) Hehe, oh? Really? ;-) I suppose you could do a Web 2.0 Ajax-y thingie for that... Not a fan of forcing users to download/use active-x controls.. (accesibility, usability etc..) No, I meant using an XmlHttpRequest to compare their password as they type it in the form with the webster's dictionary up on your server. Dunno if it would be fast enough to do it per keystroke, but perhaps upon leaving the password field. For anything that really matters, your sanitation probably ought to be custom-tailored rather than off-the-rack anyway... Glad we share this opinion.. Plus, the easy ones are easy, and the framework probably won't handle the hard ones, so what's the point of the clutter of the framework? So I personally wouldn't even go down this road. Erm gonna have to explain to me what you mean... (easy ones are easy.. Etc.) What I mean is that trying to write Framework for your sanitization routines will lock you into that Framework. So while PCRE is *great* for most sanitization routines, it's not the Right Answer for all of them. But if your framework only does PCRE, you've given up on custom sanitization for an off-the-rack answer, and are using a hammer on a screw sooner or later. The easy ones, like username or email are a one-liner anyway, or a few lines of code at most. The really complex ones like password, probably won't fit into any generic Framework you can build. I think it's better to hand-craft this code on each, rather than trying to generalize it. YMMV -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: question regarding form filtering
-Message d'origine-
De : Haydar Tuna [mailto:[EMAIL PROTECTED]
Envoyé : mardi 13 mars 2007 14:53
À : php-general@lists.php.net
Objet : [PHP] Re: question regarding form filtering
Hello,
You can write some basic functions such as checking
length of variable, removing special character, checking
number or string, trimming blank lines and so on. And then
you can use this functions together and you can write new
functions. For example, if you want to check number (such as
digit count is 4), you can write like a
checknumber($number,$digit). With this function, you can use
like length of variable function, removing special character
function, checking number or string function and trimming
blank lines function together. :)
Sure i hear you, have been their and done that in the past.
Maybe the situation i am in will help describe why i am going for
regular_expressions..
I have made a form generation/(soon to be)validation class with integrated
contextual help via javascript info popups. I would like to offer the
possibility of javascript validation for those that have it enabled, for
obvious pratical reasons being less work load on server if each does his own
validation on client-side, and of course server-side validation for security
reasons.. Now my forms are made like this:
// options array for new form
$form_options = array( 'name' = 'parametres_site',
'aide' = 'Enregistrer les
modifications apportés aux coordonées de l\'entreprise',
'bouton'= 'Mettre à
jour les paramètres'
);
// initialize form class and add new form
$form = new formulaire($this-debug_mode,$form_options);
// initialize inputs array
$input_options = array();
// add an text input with various options based on its type (default values
are not listed)
$input_options[] = array( 'name' = 'nom',
'type' = 'text',
'maxlength' = '35',
'size' = '35',
'label' =
'Votre nom :', //label
'regexp'=
'/^[a-zA-Z1-9_- ]{0,35}$/', //regexp for content
filtering
'newline' =
0, //no new
line (next input on same line)
'aide' = 'Le nom
qui apparaîtra que votre site', //contextual help msg
'erreur'=
'Mauvais caractères dans le nom'//error msg in case
bad input based on regexp
);
$form-add_inputs($input_options,'parametres_site');
// generate form and if success assign html_form to $content
if ($form-generer_formulaire('parametres_site')) {
$content = $form-html_forms['parametres_site'];
}
// echo the form to the page
Echo $content;
Ok so my reason being for using regexp is that by defining a regexp my class
can also use this regexp to generate the javascript needed to validate the
each form on the page as opposed to writing the same functions in both php
and javascript (class permits unlimited number of forms on one page). My
process would be:
1. Display blank form (generate javascript necessary for client-side form
validation using regexp)
2. Submit form to javascript filtering
3. If JS filter success then send to php filtering
4. Stock all temporary inputs in $formvars array
5. Match each $formvars against regexp
6. Do something with validated data
My goal is to make this general and not have to write a function for each
type of input, am happier writing a short regexp for each input than
writing a new function for each typei could come across...
NOW, my original question is why should I or should not use regexp?? Is
their a performance hit or not? Why do i not see anyone just using regexp
instead of going through htmlentities() stripslashes() striptags(), i mean,
if the regexp doesnt validate it then its wrong.. Period.. User friendliness
maybe? Try to make it easier for the person filling the form?
Am stumped, can't seem to find the real reason...
Regards,
Tim
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
