tag:blogger.com,1999:blog-13756280.post5318221119413293834..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Input validation or output filtering, which is better?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-13756280.post-68004254251766773322009-12-01T15:10:10.648-08:002009-12-01T15:10:10.648-08:00I like this article because, however short, it pro...I like this article because, however short, it provides some basics that I haven't found in too many places - which is kind of a surprise. Many write and talk about the importance but details are hard to find.<br /><br />Establishing class objects for data types may not necessarily be the ideal way to go. One can be limited by their web software architecture (class objects may not be so easy to implement) and relying on built-in object verification can easily ignore data that doesn't fit into a predefined object class. A programmer not used to consciously using input validation functions could be more likely to skip validation.<br /><br />I also dislike using regular expressions for quick data validation in most cases (what a waste of a computer) - I like the comment that data should be extracted (and validated) which is what I do.Garynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22720832133542732462008-11-21T05:42:00.000-08:002008-11-21T05:42:00.000-08:00I am pleased to visit your blog. The type of conte...I am pleased to visit your blog. The type of content is awasome. Hope you carry out the task in future for bignner like me.Fr0sthttps://www.blogger.com/profile/04633137817028117246noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-33613573193792917452007-10-29T13:50:00.000-07:002007-10-29T13:50:00.000-07:00Both regex's take special characters and convert t...Both regex's take special characters and convert them into HTML entities. Basically so the dat can't execute as HTML.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-37720213431737452062007-10-29T12:56:00.000-07:002007-10-29T12:56:00.000-07:00J,if possible, can you explain your regex: $data =...J,<BR/>if possible, can you explain your regex: <BR/><BR/>$data =~ s/(<|>|\"|\'|\(|\)|:)/'&#'.ord($1).';'/sge; <BR/>or<BR/>$data =~ s/([^\w])/'&#'.ord($1).';'/sge;ron777https://www.blogger.com/profile/18420165703983508073noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-75761514120939617022007-02-04T22:20:00.000-08:002007-02-04T22:20:00.000-08:00beNi: Heheh, I would have put that part in the isA...beNi: Heheh, I would have put that part in the isAvailable method. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-91394541390958150232007-02-03T03:27:00.000-08:002007-02-03T03:27:00.000-08:00haha, in your online shop example you didnt check ...haha, in your online shop example you didnt check the quantity ;-)<br /><br />found some quite prominent homepages having these kind of issues.<br /><br />-- beNi mybeNi.tkAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44582899472901007482007-01-31T13:02:00.000-08:002007-01-31T13:02:00.000-08:00Hi kl,
With complex data types, for the most part...Hi kl,<br /><br />With complex data types, for the most part I agree, but these were just example. The point I was trying to make was be as restrictive as you can. Then balance with usability accordingly.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21423459807820428852007-01-30T20:00:00.000-08:002007-01-30T20:00:00.000-08:00Input? Output? I'll have a little of each on my we...Input? Output? I'll have a little of each on my webapp plate please.Kyranhttps://www.blogger.com/profile/14007469493599163435noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18785451162251156332007-01-30T16:47:00.000-08:002007-01-30T16:47:00.000-08:00Usually strict checking against predefined pattern...Usually strict checking against predefined pattern is a nightmare for users - everyone writes dates and phone numbers differently.<br />In such cases I prefer _extraction_ of data. <br />For example instead of checking for proper arrangement of spaces, hypehs, etc. in phone number, just remove all non-digit characters and you'll have safe and bulletproof input.<br /> <br />Oh, and please don't forget that + is legal character in e-mail username!<br />MTAs (gmail) can use it for tagging/filtering (username+tag@example.com)Anonymousnoreply@blogger.com