Re: removing last chrs (with different browsers giving different last chrs )

Jerry Stuckle meinte:
Gregor Kofler wrote:

Well, the is_this_an_integer_regex is not *that* hard to understand. The one for the email or URIs is another chapter, but there are hardly any alternatives.


Not to YOU is isn't - but to someone unfamiliar with regex's, it is quite complicated.

Hey, it's *my* framework. If I have to share it (it's reasonably documentented, but I wrote it for me), then he/she can resort to Rex::INT_EXCL_ZERO or whatever. Regular expressions are an important component in most contemporary programming languages. If someone is either not willing or not capable of understanding _basic_ regular expressions, he/she shouldn't be a programmer in the first place.

Yes, I agree ones for email or URIs have little recourse, but there are lots of options for numeric values which are faster and easier to understand.

In my approach it looks this way:
private $allowed_parameters = array(
'id' => Rex::INT_EXCL_ZERO,
'name' => Rex::TEXT_NOT_EMPTY,
'category' => array('foo', 'bar', 'baz')
);
(There is this other option: an enumeration with discrete values; find that nicer than: /^(foo|bar|baz)$/ - but both yield the same result.
And what's so difficult to understand about that?

Sure. I loop through all fields that need validation, apply the prviously assigned appropriate "rule" and fill an array with all errors encountered. Of course you need an if statement (or ternary operator) to do that.


So, what's the difference? You're the one complaining about 'if' statements.

Sigh.

You need:
<loop>
switch ($type):
case 'int':
if(...) {
$error = ...;
}
break;
case 'text':
if(...) {
$error = ...;
}
break;
case 'other':
if(...) {
$error = ...;
}
break;
</loop>

I need (taking into account that I allow regex and enums with arrays):
<loop>
if($type = 'regex') {
if(...) {
$error = ...;
}
}
else {
if(...) {
$error = ...;
}
}
</loop>

Sure. These additional rules are "special", as I said: admin emails, dependencies of dates, etc. For most bog standard forms I don't need that though. I should also mention, that proper escaping of each and every data before db manipulation is done by the db class.


You're the one complaining about 'if' statements. I'm just bringing up the fact you aren't saving anything.

Again: YMMV. My scripts are short and concise. And - since some of the projects get maintained by others, too - obviously not that hard to understand. Those "special checks" are - as the name indicates - not needed regularly.

Then I'd provide a (boolean) database field "display", which will allow him to add categories and (de-)activate them at will. Anyway, where is the problem? In this scenario, a faker could add something to a category that exists, but won't be displayed anyway...


That's one way - but again, it means adding another column, fetching it from the database every time, just for the few times it's not required.

And this point I resort to "YMMV". There are situations where my solution is not the most efficient or the most convenient one.

Quite true. I don't add unnecessary things to the database. It just confuses the situation.

Yes, but *if* there can be categories in existence, that are not visible, but otherwise perfectly valid I would model this into the database.

Now if this is something which will change regularly, then I probably would. But then I would also build the list from the database. However, if the categories are stable, then no, I probably wouldn't.

Agreed. Though I seriously doubt that one or two extra queries will have that much of an impact. Poorly designed, badly normalized, wrongly indexed databases are much more of a culprit.

Where did you read about "system error message" in my answer? It will display something like "Your request could not be processed, due to an internal problem. Please retry in a few minutes or inform the administrator." Parse that into something exploitable. But something like my "Dude you gave category 6, but I offered you only 1 to 5!" - come on, the "normal" user won't create such an error, only the one trying to compromise the page. And now this one knows, that I explicitly check the category ids. Not a valuable information, but at least some information.


Wow - that's really a helpful message. What do you think your users think when they see that?

(a) What should I tell them? That's the truth. The database has a serious (internal) problem. Give it a rest and try again. They will hardly ever see that. (In fact I'm pretty sure, that on all the webpages I've done so far, no one ever came across it, i.e. the db always responded properly.)


If a field is in error, you should tell them that field is in error.

Am I really so hard to understand, or do you do that deliberately?
Once I deliver a perfectly valid query to the db and the db tells me something like "MySQL went away", what am I supposed to tell the user?

There is nothing wrong with the database; rather you aren't properly validating the user input.

Bollocks! I am *always* validating the user input properly and give proper feedback, as long as we have a "proper user". This "proper user" will find it impossible to choose a category that raises a foreign key violation. The one who doesn't is the bot. And this one doesn't deserve a meaningful error message.

(b) Why should I care? It's a bot trying to breach my system.

Maybe, maybe not.

Don't be cryptic! Give me a nice example, of how a "normal user" with a "normal form" equipped only with technically sound options could create a corrupt POST request.

Gregor


--
http://www.gregorkofler.com
http://web.gregorkofler.com - vxJS, a JS lib in progress
.

Relevant Pages

  • Re: removing last chrs (with different browsers giving different last chrs )
    ... I don't have one function which tries to validate everything. ... This ensures the value is an integer and puts out a meaningful error message if it isn't. ... that proper escaping of each and every data before db manipulation is done by the db class. ... but otherwise perfectly valid I would model this into the database. ...
    (comp.lang.php)
  • Re: ldb File and Sharing Violations (server Speed Issue?)
    ... We are intermittently receiving either of the following two messages: ... the database actually DOES reflect the proper data when ... >> We are migrating some asp based apps that use MS Access for the back end ... >> database and the error messages are wrong. ...
    (microsoft.public.inetserver.asp.db)
  • Re: What was that about clinging to guns?
    ... waiting period is a decent idea in order to do a *proper* background ... information is in the database then what "proper" check is left to do? ... Picture yourself using your credit card and the store telling you that the ...
    (rec.music.gdead)
  • Re: OO Design, Physical Implementation, DAOs
    ... > of DataAdapter objects, Command objects, and sql statements which are ... > instruction/examples on the proper way to construct the DAL? ... particular database if you're not careful. ...
    (comp.object)
  • Re: Case Sensitive String Comparisons
    ... > As to why this is even important in a database... ... > industry, and since the database is being used in mailings, I would like ... >> entries are set to proper. ... >>> Nick ...
    (microsoft.public.access.formscoding)
Loading