NYCPHP Meetup

[Gary Mort]

On 05/21/2014 01:22 PM, David Krings wrote:
> On 5/21/2014 11:09 AM, Gary Mort wrote:
>> $name = $_GET['name'];
>> $get = function($varName) {
>>    return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); }
>>
>> These 2 lines create a function to remove any HTML tags from a query 
>> string variable and return it.
>
> First of all, thanks for the explanation. But what would one do if the 
> string is supposed to contain HTML tags? Just because we want to 
> remove HTML tags from some input we might not want to remove it from 
> all input. Also, maybe we want to employ different types of filters?

My target is a simple cut and paste for tutorials and teaching PHP - 
where FILTER_SANITIZE_STRING is sufficient for most use cases[ie echo 
"Hello $name" where $name comes from a query variable].

Personally, I don't think tutorials should EVER use super global 
variables.  They should instead have written:
$name = *filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
*
However, there are lots of books already written, and lots of people who 
are simply cut and pasting from those books and tutorials and then 
modifying to suite their need.

So my goal is a simple "before you being, always use this instead of 
$_GET".   I think it would probably be best to make sure the explanation 
is actually on a seperate page...ie most new programmers don't know or 
care how PHP creates the $_GET supervariable - so their just as unlikely 
to care about why I'm using closures or how filter_input works.  Instead 
they can simply use $get as a 'magic function' to make their code more 
secure.

I resisted mightily the desire to expound on why I used FIXME  - it's a 
commonly used string tag which all programming IDE's will automatically 
provide a list of all FIXME notes in the code[PHPStorm for example 
defaults to prompting me if I try to commit code to git with TODO and 
FIXME notes in it].
>
> Maybe the right thing in a tutorial is to first demo $name = 
> $_GET['name']; and then explain why using input_filter is a good idea 
> and which other filter options there are, such as first sanitizing for 
> email and then checking for a valid email address format (that is 
> neat!). Cleaning or filtering input is a second step.

Yes, I agree.  A tutorial should always go into filtering input at the 
same time it introduces retrieiving input.   What sparked my code here 
though was discovering that Zend published a long, detailed PHP101 
article this year....and they don't bother to discuss filtering input 
until long after retrieiving input and placing it into a database.

So for the lazy writer who doesn't want to go into it, they can give 
their readers 4 lines of code to make things a little better.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20140521/313cfae3/attachment.html>