RE: Re: question regarding form filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I personally would not presume that PHP and JS regex patterns are 100%
compatible...

Store a separate pattern for each.

And, actually, the PHP check might be more involved than the JS check.

For example, if the users is making up a password, and this password
has access to something that's actually sensitive and worth protecting
(money, medical records, private matters)...

You should probably have JS and PHP to check that the password is long
enough, has mixed alpha and digit, that the password and confirmation
match, that neither password nor username contains the other as a
substring, etc.

But in PHP you'd probably *ALSO* want to check against a database of
words (say the one in /usr/share/web2, Webster's 2nd Edition
dictionary, now in the public domain) and make sure they did not
choose a simple word.

You almost for sure do *NOT* want to attempt to send the entire
Webster's 2nd Edition dictionary to the browser as JS data so that the
JS can check. :-)

I suppose you could do a Web 2.0 Ajax-y thingie for that...

At any rate, the validation in JS may not always be exactly the same
as in PHP, even if their PCRE patterns are 100% compatible, which I
doubt.

For anything that really matters, your sanitation probably ought to be
custom-tailored rather than off-the-rack anyway...

Plus, the easy ones are easy, and the framework probably won't handle
the hard ones, so what's the point of the clutter of the framework?

So I personally wouldn't even go down this road.

I expect many on this list to disagree with the preceding 2 paragraphs.

YMMV

On Tue, March 13, 2007 9:36 am, Tim wrote:
>
>
>> -----Message d'origine-----
>> De : Haydar Tuna [mailto:haydartuna@xxxxxxxxx]
>> Envoyé : mardi 13 mars 2007 14:53
>> À : php-general@xxxxxxxxxxxxx
>> Objet :  Re: question regarding form filtering
>>
>> Hello,
>>        You can write some basic functions such as checking
>> length of variable, removing special character, checking
>> number or string, trimming blank lines and so on. And then
>> you can use this functions together and you can write new
>> functions. For example, if you want to check number (such as
>> digit count is 4), you can write like a
>> checknumber($number,$digit). With this function, you can use
>> like length of variable function, removing special character
>> function, checking number or string function and trimming
>> blank lines function together. :)
>
> Sure i hear you, have been their and done that in the past.
> Maybe the situation i am in will help describe why i am going for
> regular_expressions..
>
> I have made a form generation/(soon to be)validation class with
> integrated
> contextual help via javascript info popups. I would like to offer the
> possibility of javascript validation for those that have it enabled,
> for
> obvious pratical reasons being less work load on server if each does
> his own
> validation on client-side, and of course server-side validation for
> security
> reasons.. Now my forms are made like this:
>
> // options array for new form
> $form_options = array(			'name'	=> 'parametres_site',
> 						'aide' 	=> 'Enregistrer les
> modifications apportés aux coordonées de l\'entreprise',
> 						'bouton' 	=> 'Mettre à
> jour les paramètres'
> 				);
> // initialize form class and add new form
> $form = new formulaire($this->debug_mode,$form_options);
> // initialize inputs array
> $input_options = array();
>
> // add an text input with various options based on its type (default
> values
> are not listed)
> $input_options[] = array(		'name' 		=> 'nom',
> 						'type'		=> 'text',
> 						'maxlength' 	=> '35',
> 						'size' 		=> '35',
> 						'label' 		=>
> 'Votre nom :',						//label
> 						'regexp' 		=>
> '/^[a-zA-Z1-9_- ]{0,35}$/',    			//regexp for content
> filtering
> 						'newline'		=>
> 0,								//no new
> line (next input on same line)
> 						'aide'		=> 'Le nom
> qui apparaîtra que votre site', 	//contextual help msg
> 						'erreur'		=>
> 'Mauvais caractères dans le nom'		 	//error msg in case
> bad input based on regexp
> 				);
> $form->add_inputs($input_options,'parametres_site');
>
> // generate form and if success assign html_form to $content
> if ($form->generer_formulaire('parametres_site')) {
> 	$content = $form->html_forms['parametres_site'];
> }
>
> // echo the form to the page
> Echo $content;
>
> Ok so my reason being for using regexp is that by defining a regexp my
> class
> can also use this regexp to generate the javascript needed to validate
> the
> each form on the page as opposed to writing the same functions in both
> php
> and javascript (class permits unlimited number of forms on one page).
> My
> process would be:
>
> 1. Display blank form (generate javascript necessary for client-side
> form
> validation using regexp)
> 2. Submit form to javascript filtering
> 3. If JS filter success then send to php filtering
> 4. Stock all temporary inputs in $formvars array
> 5. Match each $formvars against regexp
> 6. Do something with validated data
>
> My goal is to make this general and not have to write a function for
> each
> "type" of input, am happier writing a short regexp for each input than
> writing a new function for each typei could come across...
>
> NOW, my original question is why should I or should not use regexp??
> Is
> their a performance hit or not? Why do i not see anyone just using
> regexp
> instead of going through htmlentities() stripslashes() striptags(), i
> mean,
> if the regexp doesnt validate it then its wrong.. Period.. User
> friendliness
> maybe? Try to make it easier for the person filling the form?
>
> Am stumped, can't seem to find the real reason...
>
> Regards,
>
> Tim
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux