> -----Message d'origine----- > De : Richard Lynch [mailto:ceo@xxxxxxxxx] > Envoyé : mercredi 14 mars 2007 09:39 > À : Tim Earl > Cc : php-general@xxxxxxxxxxxxx > Objet : Re: question regarding form filtering > > I use PCRE for filtering all the time. > > As a general rule, be sure you are using a pattern that says > "allow these valid characters" and not one that says "deny > these invalid characters". Sure, this is what i had in mind, not counting the filter for denying invalid characters will definately be more complex then allowing just letters and numbers in a username for example :) > You never know when some user will send Unicode or something > so far outside what you expected that your "deny invalid" > won't catch it. Imagine having to take all that into account.. Lot's of work.. Not worth it for fields that just fill databases with text. > > "allow valid" insures that ONLY the cases you thought of as > valid, are valid. > > That said, sometimes the Right Thing to do is to deny invalid > character, such as "newline" in anything you are cramming > into email headers, as the spammers send out entire emails > crammed into your "Subject" box on form-mail, and then you > send out their email for them, as a side-effect of your > attempt to send valid email. Play with an SMTP server and > send it some emails by hand to see how this works... Sound good, I have played with smtp, but never tried that approach, have heard of the "problem" aswell and impleted various function for filtering form e-mail as well > > You'd have to be getting a heck of a lot of traffic and have > a *TON* of inputs with PCRE being called on them for it to be > any significant drain on resources. Great, was hoping i was right on that, our framework is for small to medium business that probably won't be generating excessive traffic. Also that being said, after all the research i did before coming here, i think new programmers, or programmers thinking of building fully scalable frameworks should try to rethink most of the code that is out their much of the code is grossely "over-greased" with "neat" ways of doing things that arent really that usefull.. Notably regarding filtering by combining PHP functions to do the same job as PCRE, i think in the long run especially in terms of scalability you want to be able to chose your own filtering "rule" for each input regardless of what "module" you are working on and what form you are using, other wise you'll end up with a HUGE form validator with a single function for EVERY single type of input that can be accepted, and alos you'll end up constantly updating the validator with new functions that you may use only once throughout the website... Regular expressions IMO (now that all my questions have been answered and hunches verified) are the way to go for form filtering in scalable web applications.. > > I daresay you couldn't manage to do it at all in a real-world > scenario, but I presume somebody somewhere has somethng weird > enough where the PCRE check is "too expensive"... > > The odds that you have that are about 1 in 1,000,000 though. Feel much better now :P Thanks for your input Richard, Regards, Tim "Programming is a race between people making better and faster programs and the universe making bigger and dumber people. So far the universe is winning" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
