I use PCRE for filtering all the time.
As a general rule, be sure you are using a pattern that says "allow
these valid characters" and not one that says "deny these invalid
characters".
You never know when some user will send Unicode or something so far
outside what you expected that your "deny invalid" won't catch it.
"allow valid" insures that ONLY the cases you thought of as valid, are
valid.
That said, sometimes the Right Thing to do is to deny invalid
character, such as "newline" in anything you are cramming into email
headers, as the spammers send out entire emails crammed into your
"Subject" box on form-mail, and then you send out their email for
them, as a side-effect of your attempt to send valid email. Play with
an SMTP server and send it some emails by hand to see how this
works...
You'd have to be getting a heck of a lot of traffic and have a *TON*
of inputs with PCRE being called on them for it to be any significant
drain on resources.
I daresay you couldn't manage to do it at all in a real-world
scenario, but I presume somebody somewhere has somethng weird enough
where the PCRE check is "too expensive"...
The odds that you have that are about 1 in 1,000,000 though.
On Tue, March 13, 2007 6:20 am, Tim Earl wrote:
> HI all,
>
>
>
> Well I have been going through various methods on filtering form data,
> and
> the one I never see is filtering form data using regular expressions,
> (although the html form and validition class by Manuel Lemos does seem
> to
> use them) this is the only I could find.
>
>
>
> I often see lines like (for checking a 4 character number for
> example):
>
>
>
> $input_value = html_entities($input_value);
>
> If (strval(intval($input_value)) && strlen($input_value) == 4) {
>
> // do something with validated data (maybe put in valid
> array or
> something)
>
> }
>
>
>
> Ok so whats wrong with good ole:
>
>
>
> If (preg_match('/^[0-9]{4}$/',trim($input_value)) {
>
> // do something with validated data (maybe put in valid
> array or
> something)
>
> }
>
>
>
> Am I going to get a performance hit if I validate all my fields with
> regular
> expressions?
>
> As I see it I am only calling one function (ok 2 with the trim()) to
> validate my form data.
>
> Just wondering what you all thought about these different methods, and
> what
> approach suits best a given situation..
>
>
>
>
>
> Regards,
>
>
>
> Tim
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
