RE: [PHP] Re: question regarding form filtering

I personally would not presume that PHP and JS regex patterns are 100%
compatible...

Store a separate pattern for each.

And, actually, the PHP check might be more involved than the JS check.

For example, if the users is making up a password, and this password
has access to something that's actually sensitive and worth protecting
(money, medical records, private matters)...

You should probably have JS and PHP to check that the password is long
enough, has mixed alpha and digit, that the password and confirmation
match, that neither password nor username contains the other as a
substring, etc.

But in PHP you'd probably *ALSO* want to check against a database of
words (say the one in /usr/share/web2, Webster's 2nd Edition
dictionary, now in the public domain) and make sure they did not
choose a simple word.

You almost for sure do *NOT* want to attempt to send the entire
Webster's 2nd Edition dictionary to the browser as JS data so that the
JS can check. :-)

I suppose you could do a Web 2.0 Ajax-y thingie for that...

At any rate, the validation in JS may not always be exactly the same
as in PHP, even if their PCRE patterns are 100% compatible, which I
doubt.

For anything that really matters, your sanitation probably ought to be
custom-tailored rather than off-the-rack anyway...

Plus, the easy ones are easy, and the framework probably won't handle
the hard ones, so what's the point of the clutter of the framework?

So I personally wouldn't even go down this road.

I expect many on this list to disagree with the preceding 2 paragraphs.

YMMV

On Tue, March 13, 2007 9:36 am, Tim wrote:


-----Message d'origine-----
De : Haydar Tuna [mailto:haydartuna@xxxxxxxxx]
Envoyé : mardi 13 mars 2007 14:53
À : php-general@xxxxxxxxxxxxx
Objet : [PHP] Re: question regarding form filtering

Hello,
You can write some basic functions such as checking
length of variable, removing special character, checking
number or string, trimming blank lines and so on. And then
you can use this functions together and you can write new
functions. For example, if you want to check number (such as
digit count is 4), you can write like a
checknumber($number,$digit). With this function, you can use
like length of variable function, removing special character
function, checking number or string function and trimming
blank lines function together. :)

Sure i hear you, have been their and done that in the past.
Maybe the situation i am in will help describe why i am going for
regular_expressions..

I have made a form generation/(soon to be)validation class with
integrated
contextual help via javascript info popups. I would like to offer the
possibility of javascript validation for those that have it enabled,
for
obvious pratical reasons being less work load on server if each does
his own
validation on client-side, and of course server-side validation for
security
reasons.. Now my forms are made like this:

// options array for new form
$form_options = array( 'name' => 'parametres_site',
'aide' => 'Enregistrer les
modifications apportés aux coordonées de l\'entreprise',
'bouton' => 'Mettre à
jour les paramètres'
);
// initialize form class and add new form
$form = new formulaire($this->debug_mode,$form_options);
// initialize inputs array
$input_options = array();

// add an text input with various options based on its type (default
values
are not listed)
$input_options[] = array( 'name' => 'nom',
'type' => 'text',
'maxlength' => '35',
'size' => '35',
'label' =>
'Votre nom :', //label
'regexp' =>
'/^[a-zA-Z1-9_- ]{0,35}$/', //regexp for content
filtering
'newline' =>
0, //no new
line (next input on same line)
'aide' => 'Le nom
qui apparaîtra que votre site', //contextual help msg
'erreur' =>
'Mauvais caractères dans le nom' //error msg in case
bad input based on regexp
);
$form->add_inputs($input_options,'parametres_site');

// generate form and if success assign html_form to $content
if ($form->generer_formulaire('parametres_site')) {
$content = $form->html_forms['parametres_site'];
}

// echo the form to the page
Echo $content;

Ok so my reason being for using regexp is that by defining a regexp my
class
can also use this regexp to generate the javascript needed to validate
the
each form on the page as opposed to writing the same functions in both
php
and javascript (class permits unlimited number of forms on one page).
My
process would be:

1. Display blank form (generate javascript necessary for client-side
form
validation using regexp)
2. Submit form to javascript filtering
3. If JS filter success then send to php filtering
4. Stock all temporary inputs in $formvars array
5. Match each $formvars against regexp
6. Do something with validated data

My goal is to make this general and not have to write a function for
each
"type" of input, am happier writing a short regexp for each input than
writing a new function for each typei could come across...

NOW, my original question is why should I or should not use regexp??
Is
their a performance hit or not? Why do i not see anyone just using
regexp
instead of going through htmlentities() stripslashes() striptags(), i
mean,
if the regexp doesnt validate it then its wrong.. Period.. User
friendliness
maybe? Try to make it easier for the person filling the form?

Am stumped, can't seem to find the real reason...

Regards,

Tim

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • RE: [PHP] Re: question regarding form filtering
    ... contextual help via javascript info popups. ... validation on client-side, and of course server-side validation for security ... Ok so my reason being for using regexp is that by defining a regexp my class ... Submit form to javascript filtering ...
    (php.general)
  • Re: Form Field Set Focus?
    ... the php script has to trap it and return a javascript error ... which is quite easy in Javascript (something along the ... You can use PHP to write out the javascript to set the field, ... The same goes for your javascript validation script, ...
    (comp.lang.php)
  • Re: Blank form processing: POST values lost?
    ... JavaScript does validation only if the client WANTS it ... bots, and PHP pages getting the content of other pages, etc.) can ...
    (comp.lang.php)
  • Re: Do you validate your forms with javascript or php?
    ... Javascript + PHP, or PHP alone. ... With Javascript you avoid involving the server, ... If you want to code validation only once, ...
    (comp.lang.php)
  • Form validation with PHP/Javascript
    ... I have tried a couple of Javascript ... special I need to do to make the Javascript work before the PHP? ... good way to do client side validation with PHP? ... <snip - took out a different category listing> ...
    (comp.lang.php)