Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:20000 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96586 invoked by uid 1010); 15 Nov 2005 14:48:10 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 96570 invoked from network); 15 Nov 2005 14:48:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Nov 2005 14:48:10 -0000 X-Host-Fingerprint: 206.81.46.34 unknown Received: from ([206.81.46.34:7000] helo=localhost.localdomain) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id A4/ED-07637-A25F9734 for ; Tue, 15 Nov 2005 09:48:10 -0500 Message-ID: To: internals@lists.php.net Date: Tue, 15 Nov 2005 08:36:55 -0500 User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 References: <84.9C.07637.EEB48734@pb1.pair.com> <6A.CC.07637.49C48734@pb1.pair.com> <437932CE.80000@zend.com> <4B.67.07637.41949734@pb1.pair.com> <4379AE54.1080808@zend.com> <8F.F8.07637.B9FD9734@pb1.pair.com> <4379E396.9070003@zend.com> In-Reply-To: <4379E396.9070003@zend.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Posted-By: 206.81.46.34 Subject: Re: [PHP-DEV] Re: results of the PHP6 wishlists From: gamblergluck@yahoo.com (Roman Ivanov) Antony Dovgal wrote: > On 15.11.2005 15:06, Roman Ivanov wrote: > >> This particular extension treats each input variable individually, >> which is not desirable in majority of scripts I worked with. Such >> approach adds unnecessary complexity to the script, and requires to >> handle each invalid variable separately as well. But the real problem >> is that there are many ways of filtering input, and I do not think any >> of them fits all the situations. > > > Ahha. > So what exactly do you propose? > For example, I have 3 different variables: an email, an integer and a > string. > How do you think I should filter them ? Sorry, do not have time to simplify. This is how I do it: function filterRequest($prototype, $action){ loadPrototype($prototype); $vars = get_class_vars($prototype); if ($vars['vigilant'] == FALSE) { return $_REQUEST; } $filter = getFilter($prototype, $action); if ($filter == NULL) { return NULL; } if ($filter == TRUE) { return $_REQUEST; } $cleanedVars = array(); foreach ($filter as $fieldName => $rule) { if ($rule === TRUE) { $cleanedVars[$fieldName] = @$_REQUEST[$fieldName]; continue; }// else { $positiveMatch = TRUE; if (preg_match('/n\w*$/', $rule)) { //check whether regExp has n modifier $positiveMatch = FALSE; $rule = preg_replace('/n(\w*)$/', '$1', $rule); //remove modifier so PHP won't complain } if (preg_match($rule, @$_REQUEST[$fieldName]) && $positiveMatch) { $cleanedVars[$fieldName] = @$_REQUEST[$fieldName]; } else { user_error("Request filtered out because of '$fieldName' field", E_USER_WARNING); return NULL; } //} } return $cleanedVars; } >> >> "Part of the standard API, which is included with PHP and compiles by >> >> default", if you will. >> > >> > >> > So, basically you're objecting against enabling it by default? >> > Why? I really do not see a reason to not include it by default, if it >> > helps to write more secure code. >> > (remember that "enabled by default" means you can disable it in a >> moment). >> >> Well, I think that everything in core distribution is a suggested >> standard. But a language should not, in my opinion, suggest any >> particular structure for the program, unless it's absolutely >> necessary. It's not a major issue, but still... > > > Sorry, I refuse to understand that. > The language HAS to recommend a way to do something and to allow user to > choose any other way if the recommended one doesn't fit his/her needs. Perl: There is more than one way to do it. Java: There is more than one way to do it, as long as you're doing it our way. C: Use assembly.