SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2004
    Location
    Europe
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    filter or validate?

    Hi, im coding a form mailer.
    A common validation problem of a user input data, like name, adress, etc.
    A user submits a string outside the textbox max length, huuuge string.
    I want to put a filter or validator for this case, and i'd like to hear some comments how do u handle this.

  2. #2
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Validator is a query ("does it look ok?"), filter is an action ("make it look ok"). Which one to use is your decision.

  3. #3
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They can accomplish the same goals or different ones. In other words you need not bother the user if an input has leading and trailing spaces, you would if the data they entered in an email field was not a valid email.

    If a spammer hits your form, and tries to inject mail headers via your form fields, proper validation would reject that submission and not send mail. There is no reason to filter the data and send it, because what they want to send is garbage.

    If you are inserting data into a database, what you validate and what you filter depends on the ability of the script to actually do something with the data to keep it in the desired format.

    Once a dataset gets to be a few hundred records, it becomes valuable enough, that protecting the integrity of the data is important. All dates and phone numbers (ssn, etc.) should be the same format, emails should be valid and so on. If there is no way to filter a particular type of input to ensure the proper data format, then validate it and insist that it be entered correctly.

  4. #4
    Team SitePoint santouras's Avatar
    Join Date
    Jul 2006
    Location
    planet earth
    Posts
    273
    Mentioned
    10 Post(s)
    Tagged
    0 Thread(s)
    validate code from a user

    filter code before inserting into a db

    You shouldn't really accept code from a user in a non-valid way, and filter it to say "o I guess you meant this?". Its just not a good practice. Validate everything from the user to make sure its in the format you're expecting. Data filtering should be limited to make sure that its escaped correctly and safe for storing.
    my utility belt tells me its to the bar batman

    read the manual then google it then do a search THEN post....

  5. #5
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    ...and i'd like to hear some comments how do u handle this.
    Lets say you had a telephone no input box, and you set the html to MAXLENGTH that at 15 chars.

    PHP Code:
    if ( strlen$_GET['tel']) > 15 ){
    // abort everything, and redirect

    As you say, that could be 2GB of data they sent you, whether they send 16 chars or 16 million - someone's messsing about.

    OK. so you stipulate that they can only send numbers and spaces in the Tel input box.

    Run a simple regex over it, right?

    But what I would do before the regex is to replace and letter 'o' with a number '0' because that's the kind of mistake my mom would make.

    Hence I don't wholeheartedly agree with this statement:
    You shouldn't really accept code from a user in a non-valid way, and filter it to say "o I guess you meant this?". Its just not a good practice. Validate everything from the user to make sure its in the format you're expecting. Data filtering should be limited to make sure that its escaped correctly and safe for storing.
    So THEN I'd verify there was only numbers and spaces and for good measure I'd *_real_escape_string() it as it goes in the db, because even I make mistakes.

    Now which is termed as filtering and what is validating I am not sure.

  6. #6
    Team SitePoint santouras's Avatar
    Join Date
    Jul 2006
    Location
    planet earth
    Posts
    273
    Mentioned
    10 Post(s)
    Tagged
    0 Thread(s)
    filtering implies a passive step, something which does not have a fail condition. Validating implies an agressive step which does have a fail condition. Anything where the data can fail and be refused to be used is counted as validating, anything where the data is vetted and then used without reporting an error is counted as filtering.
    my utility belt tells me its to the bar batman

    read the manual then google it then do a search THEN post....

  7. #7
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Right, thanks for that explanation, santouras.

  8. #8
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by santouras View Post
    filter code before inserting into a db
    That strikes me as a bad idea. You should filter as close to input, as possible. What you're talking about, is probably escaping, which is something, you do, when embedding strings into an SQL query. That would happen close to the query being executed.

  9. #9
    SitePoint Enthusiast
    Join Date
    Nov 2005
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like the doctrine, "Be liberal in what you accept, but conservative in what you output." Usually, filtering and validation are done in conjunction, although in your case, a form mailer, most of the fields will only need validation.
    HTML Purifier - Standards-Compliant HTML filtering

  10. #10
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Let me get this right then, validate as soon as you can do the easiest things first - then escape and store.

    Stay away from describing that process as a "filter" ( I must admit that filter sounds like "send a to b or c depending on condition x", I mean I have done that, but not from a security POV )


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •