Jump to content

Recommended Posts

How is adding Javascript to make it look good then PHP validation on the next page lazy?  I'd say that's the opposite of lazy.  Lazy is the fact that I work on this once a month, that's lazy, but you don't see very often people doing things like this actually going out of their way to make it look good and work like I am.  I have a policy in place, I wrote up a huge post at my own site about exactly how all of this was gonna go down.  I have papers written up at home detailing every step of the process, validation, submission, everything.  I'd say that you're being a little too assuming in what you're thinking about me, maybe you should have asked.  Just because I do one step at a time doesn't mean I only have one step at a time planned, I have the whole thing planned.

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

You should always validate your XHTML and CSS and run your JavaScript through JSLint.  You don't have to do it after every single change, but you should do it once per hour or so.  Small errors in XHTML, CSS, and JavaScript can affect a page's behavior quite significantly.

 

Screw up your XHTML and the CSS rules may not be followed properly.  Goof up in your JavaScript and it may do all sorts of weird things.

 

Have you ever added a CSS rule that didn't work properly?  So you end up having to add more and more CSS rules or maybe extra markup to get it working?  Perhaps the original rule didn't work because of your invalid XHTML.  So you write all this extra crap trying to get it pretty when if you'd just validated all your stuff it probably would have worked from the get-go.

 

But sure.  You can validate at the very end after you've already wasted countless hours "hacking" around the results of your own carelessness.

come on even if you did the following for example your  XSS would be superb.

 

<?php
function clean($text){
$text=strip_tags('allowed tags',$text);
$text.=trim($text);
$text.=filter_var($text,FILTER_SANITIZE_STRING); // works in php 5 only
return $text;
}
$example=clean($_POST['example']);
echo htmlentities($example,ENT_NOQUOTES);
?>


 

 

also i would reccomend using Jquery's Validation Plugin if you choose to do do javascript Validation as well as PHP validation.

 

 

<?php
function clean($text){
$text=strip_tags('allowed tags',$text);
$text.=trim($text);
$text.=filter_var($text,FILTER_SANITIZE_STRING); // works in php 5 only
return $text;
}
$example=clean($_POST['example']);
echo htmlentities($example,ENT_NOQUOTES);
?>


 

For the love of god, why do you keep posting that function all over this forum? It doesn't work. It's very pointless

No. It's not. For some reason it's a function that takes some input and performs two validation functions and one other function and concatenates the results together.

 

Fixing the other error that the arguments to strip_tags are the wrong way round and with the test input " Foobar " we get the result " Foobar Foobar Foobar Foobar". Does that look right to you?

 

<?php
function clean($text){
$text=strip_tags($text);
$text.=trim($text);
$text.=filter_var($text,FILTER_SANITIZE_STRING); // works in php 5 only
return $text;
}
$example=clean(" Foobar ");
echo htmlentities($example,ENT_NOQUOTES);
?>

 

Now, ignoring the fact that this function clearly does not work there is no one single function you can use for every single example. Validation is not that simple. Nothing really is. Now please, stop posting it everywhere. It doesn't impress anyone.

My intention is not to attack you but to attempt to make you see that, in this instance, the code you're suggesting isn't that great. I've seen you post it up so many times in various forms and i've also seen other criticisms of it. That leaves me with no choice but to show, in the bold light of day, that it was a bit pointless.

Well stop pasting your function all over the place and it won't be as visible.  The more visible you make something, the more it will be scrutinized.  You can either be upset that someone tells you it sucks, or you can learn to make it better.  Start by asking the person who told you it sucks how they would make it better. 

 

If you want to nitpick about respect, be respectful and stop spamming stuff all over the place.

I have posted code that's wrong, I think most of us have, but we try not to repeat that mistake, the fact the exact same code (above) has been proven to be wrong in many post, kinda makes us wonder why you keep posting it!

point taken now can we treat each other with respect instead of attacking each other, telling someone how much they suck at coding it just isn't professional at all to me.

 

Dude, you've been called out on this multiple times. I've personally done it a few times myself.

 

Besides, it's not validation, it's filtering. Validation is e.g. "does this only contain digits? No, 'g' isn't a digit, we'll tell the user to type in something correct". Filtering is taking any value and making sure it fits whatever you're using it for, e.g. escaping quotes for a SQL query. Also note that "whatever you're using it for" is key here. You're not supposed to run htmlentities in a SQL context, but in a HTML context. Also, your function presupposes that HTML tags should never be in any string. That's incredibly presumptuous, and it might not always be the case. If you ever need a string with absolutely no HTML, then run it through strip_tags() when you do.

 

Running it through all the possible filtering functions you can think of is not a good idea.

 

Perhaps it's unprofessional the way we said it here, but it's no less unprofessional than constantly posting bad advise despite the fact that you've been told it is numerous times.

telling someone how much they suck at coding it just isn't professional at all to me.

 

That's the karma train coming for you.  I'm sorry but you were all over me telling me how much my stuff sucked on the first page.

 

And I hear what you're all saying.  I do know a lot about PHP validation, I just haven't done Jvascript in so long that I'm a little (read, a LOT) rusty.  I didn't even know what XSS is.  One point Iwanted to make clear is that I WILL (when I get around to working on this again, I'm a man of many, MANY interests) be implementing PHP validation that will not allow submission of the form if all the required information is filled in.  The following fields MUST be put in:

 

Gamertag

Film

Email

Accept Price

Accept ToS

 

For now those are the ones I'm requiring.  I'll probably (read, will) do checks on all of them to make sure no one modified the code to, say, submit it without selecting a resolution or format, but I wanted to reiterate, these first steps were a combination of Javascript validation and making it look pretty to the end user.  Like I said I do one step at a time and I finished the really hard stuff on this step (which was retrieving the information from the offsite page, parsing it to get what I wanted and displaying it on the page using AJAX [trust me, that was a LOT harder than it seems, I thought it'd be easy too]), I went and made it look a little more appealing.

 

I might consider switching to divs later, I don't know, but tables work regardless of what they're meant for, they work for this, and well.

 

Thank you all for your replies, I will take them all into consideration when I start work on this again and I'll post when I have more to show!

Well I'd hope it'd be secure from SQL injections...seeing as I'm not inserting anything into the database :/

 

And I've built a complete GetFileshare class that will grab the fileshare of any gamertag supplied and display either screenshots, films, maps, or gametypes.  Unfortunately, I can't post it here since it'll be considered advertising.  Darn.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.