RE: question regarding form filtering

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 

> -----Message d'origine-----
> De : Richard Lynch [mailto:ceo@xxxxxxxxx] 
> Envoyé : mercredi 14 mars 2007 09:39
> À : Tim Earl
> Cc : php-general@xxxxxxxxxxxxx
> Objet : Re:  question regarding form filtering
> 
> I use PCRE for filtering all the time.
> 
> As a general rule, be sure you are using a pattern that says 
> "allow these valid characters" and not one that says "deny 
> these invalid characters".

Sure, this is what i had in mind, not counting the filter for denying
invalid characters will definately be more complex then allowing just
letters and numbers in a username for example :)

> You never know when some user will send Unicode or something 
> so far outside what you expected that your "deny invalid" 
> won't catch it.

Imagine having to take all that into account.. Lot's of work.. Not worth it
for fields that just fill databases with text.
> 
> "allow valid" insures that ONLY the cases you thought of as 
> valid, are valid.
> 
> That said, sometimes the Right Thing to do is to deny invalid 
> character, such as "newline" in anything you are cramming 
> into email headers, as the spammers send out entire emails 
> crammed into your "Subject" box on form-mail, and then you 
> send out their email for them, as a side-effect of your 
> attempt to send valid email.  Play with an SMTP server and 
> send it some emails by hand to see how this works...

Sound good, I have played with smtp, but never tried that approach, have
heard of the "problem" aswell and impleted various function for filtering
form e-mail as well

> 
> You'd have to be getting a heck of a lot of traffic and have 
> a *TON* of inputs with PCRE being called on them for it to be 
> any significant drain on resources.

Great, was hoping i was right on that, our framework is for small to medium
business that probably won't be generating excessive traffic.
Also that being said, after all the research i did before coming here, i
think new programmers, or programmers thinking of building fully scalable
frameworks should try to rethink most of the code that is out their much of
the code is grossely "over-greased" with "neat" ways of doing things that
arent really that usefull.. Notably regarding filtering by combining PHP
functions to do the same job as PCRE, i think in the long run especially in
terms of scalability you want to be able to chose your own filtering "rule"
for each input regardless of what "module" you are working on and what form
you are using, other wise you'll end up with a HUGE form validator  with a
single function for EVERY single type of input that can be accepted, and
alos you'll end up constantly updating the validator with new functions that
you may use only once throughout the website... Regular expressions IMO (now
that all my questions have been answered and hunches verified) are the way
to go for form filtering in scalable web applications..

> 
> I daresay you couldn't manage to do it at all in a real-world 
> scenario, but I presume somebody somewhere has somethng weird 
> enough where the PCRE check is "too expensive"...
> 
> The odds that you have that are about 1 in 1,000,000 though.

Feel much better now :P 

Thanks for your input Richard,

Regards,

Tim

"Programming is a race between people making better and faster programs and
the universe making bigger and dumber people. So far the universe is
winning"

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux