Re: Sanitizing forms in vibe.d. How?
On Monday, 12 December 2016 at 11:32:42 UTC, Nicholas Wilson wrote: for strip_tags I would look for an xml library (e.g. arsd.dom) and parse it and then reprint it without the tags. There's probably a better way to do it though. I'm sure Adam Ruppe will be able to help you there. Well, it depends what you are doing with it. If you are just outputting user data, I wouldn't allow any HTML at all... but I'd do it by encoding it all. So if they write
Re: Sanitizing forms in vibe.d. How?
On Monday, 12 December 2016 at 10:25:05 UTC, aberba wrote: How about alternative to php strip_tags(), strip_slash() ? I wouldn't use those functions anyway in most cases: instead of stripping stuff, just encode it properly for the output. So, if it is being output to JSON or javascript, json encode it. If it is going to HTML, html encode it. If a URL, url encode it. If to a database, use a prepared statement. You may need to use multiple layers. A link may be both URL and HTML encoded, because first it is a url, then it is being added to a html document so it needs that too. I don't know the vibe library, but my dom.d has a bunch of options for html encode.
Re: Sanitizing forms in vibe.d. How?
On Monday, 12 December 2016 at 10:25:05 UTC, aberba wrote: On Monday, 12 December 2016 at 00:42:54 UTC, Nicholas Wilson wrote: On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote: You can enforce that the string that you receive is an email address with `isEmail` from `std.net.isemail` Nice. What sql library are you using? there is probably a function in that somewhere, that does sanitisation, or use prepared statements. Will look into that. Currently planning to use mysql-lited (not sure which one is more capable though) How about alternative to php strip_tags(), strip_slash() ? With vibe.d I would definitely go with mysql-native instead since it's already compatible with it. See: https://github.com/mysql-d/mysql-native vibe.d and D in general doesn't suffer from the same things PHP does when it comes to sanitizing. As long as you use prepared statements, then you won't suffer from it. It's much safer to validate data, than sanitize it. That way you don't get garbage either.
Re: Sanitizing forms in vibe.d. How?
On Monday, 12 December 2016 at 10:25:05 UTC, aberba wrote: On Monday, 12 December 2016 at 00:42:54 UTC, Nicholas Wilson wrote: On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote: You can enforce that the string that you receive is an email address with `isEmail` from `std.net.isemail` Nice. What sql library are you using? there is probably a function in that somewhere, that does sanitisation, or use prepared statements. Will look into that. Currently planning to use mysql-lited (not sure which one is more capable though) All the bindings on code.dlang.org should be equally capable, however some may be easier to use and/or be DB specific (e.g. the Postges bindings) How about alternative to php strip_tags(), strip_slash() ? for strip_slash look for `replace` and friends in std.array for strip_tags I would look for an xml library (e.g. arsd.dom) and parse it and then reprint it without the tags. There's probably a better way to do it though. I'm sure Adam Ruppe will be able to help you there.
Re: Sanitizing forms in vibe.d. How?
On Monday, 12 December 2016 at 00:42:54 UTC, Nicholas Wilson wrote: On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote: You can enforce that the string that you receive is an email address with `isEmail` from `std.net.isemail` Nice. What sql library are you using? there is probably a function in that somewhere, that does sanitisation, or use prepared statements. Will look into that. Currently planning to use mysql-lited (not sure which one is more capable though) How about alternative to php strip_tags(), strip_slash() ?
Re: Sanitizing forms in vibe.d. How?
On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote: In php, I use built-in functions like filter_var(FILTER_VALIDATE_EMAIL, $email). There are other constants for different data types. You can enforce that the string that you receive is an email address with `isEmail` from `std.net.isemail` Again, there is mysqli_real_escape_string() for escaping SQL injection/harmful characters. What are my options in vibe.d or even D? What sql library are you using? there is probably a function in that somewhere, that does sanitisation, or use prepared statements.