On Jan 20, 2008 10:06 PM, Nathan Nobbe <quickshiftin@xxxxxxxxx> wrote:
> On Jan 20, 2008 9:47 PM, nihilism machine <nihilismmachine@xxxxxxxxx> wrote:
>
> > how does this look? should this by me calling ... myforms = new
> > forms(); work by turning all key/value pairs for both get and post
> > into variable names of the same name as the get/post key, and the
> > variable values as the values from the post/get?
> >
> > class forms {
> >
> > // Some stuff
> > var $MyPosts;
> > var $MyGets;
> > var $CleanedInput;
> >
> > // Connect to the database
> > function forms() {
> > foreach($_POST as $curPostKey => $curPostVal) {
> > CleanInput($curPostKey);
> > $$curPostKey = $curPostVal;
> > }
> > foreach($_GET as $curGetKey => $curGetVal) {
> > CleanInput($curGetKey);
> > $$curGetKey = $curGetVal;
> > }
> > }
> >
> > // Attempt to login a user
> > function CleanInput($userInput) {
> > return $this->CleanedInput;
> > }
> > }
>
>
> im a little bit lost on the comments about connecting to the database and
> logging
> in a user. if you are writing a class to filter data in the $_POST and /or
> $_GET, then
> thats all it should be responsible for.
> the decision youll have to make is this; will this class simply act as a
> filter for these
> arrays, which means it will modify the data in those arrays, or will it
> leave the contents
> of those arrays unaltered and store the filtered values in instance
> variables? the design
> of the class will depend upon this decision.
> i think if you want to keep it simple, you should shoot for the former
> option. then your
> class would look something like this
>
> class InputFilter {
> public static function filterInput($optionalFilter='') {
> if(count($_GET) > 0) {
> self::filterArray($_GET, $optionalFilter);
> }
> if(count($_POST) > 0) {
> self::filterArray($_POST, $optionalFilter);
> }
> }
>
> private static function filterArray($array, $optionalFilter='') {
> foreach($array as $key => $value) {
> $$key = self::filterValue($value);
> if(!empty($optionalFilter) && is_callable($optionalFilter)) {
> $$key = $optionalFilter($$key);
> }
> }
> }
>
> private static function filterValue($value) {
> return trim(stripslashes($value)); /// <-- NOTE: this is only an
> example
> }
> }
>
>
> then from client space you would just say
> InputFilter::filterInput();
>
> then, subsequently you can use $_POST and $_GET directly with the assumption
> that the input has been escaped.
> and, using the class above, you can also supply a custom filtering function
> as well,
> on a per-need basis; eg.
>
> function filterMsql($value) {
> return mysql_real_escape_string($value);
> }
> InputFilter::filterInput('filterMysql');
>
> NOTE: i just typed this into my mail client, so it might not be perfect.
>
> -nathan
>
Hi Nathan,
I don't think making a single generic function to iterate over every
value in the GET/POST arrays is a very good idea. Each field on a
form can contain very different pieces of data that should be handed
quite differently. I know you did point out that "this is just an
example," but nonetheless your class is intended to iterate over
everything with a generic solution.
Say you have three fields: name, email, and comments textarea. On the
back end your script should know that the three different fields have
different character limits and they should also be validated
differently. The email should be checked to make sure it is a valid
email address. The two other fields can have constraints like the
name field has to be between 4 characters and a max of 64. Then the
comments has a minimum of 1 and a max of 65535. How do you accomplish
this with one blanket function without passing in a massive array of
options. What if there is another field that requires some sort of
number. If someone came through and typed e3 (not malicious, just a
typo) then the all in one would say that is perfect.
There are plenty of filtering libraries available such as
ext/filter[1], Zend_Filter[2], and Stubbles Validators [3]. I lean
towards the Stubbles method of applying reusable filters to data.
These libraries have many eyes on them and are tested pretty well. To
forego all this work and start your own really requires a bigger
effort than most people realize.
[1] http://php.net/filter
[2] http://framework.zend.com/manual/en/zend.filter.html
[3] http://stubbles.net/wiki/Docs/Validators
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
