Hello,
If I have an HTML form with input, example:

username
lastname
mobile
... and so on ...

Example simple initialization:
// POST
$username = $_POST['username'];
$lastname = $_POST['lastname'];
$mobile = $_POST['mobile'];

What is the most popular method for making PHP initialize the many variables on that form? I'm looking to get an understanding of 95% of the possible ways developers are initializing their php variables from a form post. How do YOU initialize the form variables?

If you prefer to post your reply direct to info @ phpyellow.com instead of this list, or both, I am happy to receive your comment.

Sincerely,
Rob
http://phpyellow.com

On Thu, 2007-05-31 at 10:57 -0700, EMAIL REMOVED wrote:
> Hello,
> If I have an HTML form with input, example:
>
> username
> lastname
> mobile
> .. and so on ...
>
> Example simple initialization:
> // POST
> $username = $_POST['username'];
> $lastname = $_POST['lastname'];
> $mobile = $_POST['mobile'];
>
> What is the most popular method for making PHP initialize the many variables on that form? I'm looking to get an understanding of 95% of the possible ways developers are initializing their php variables from a form post. How do YOU initialize the form variables?

I use a form engine. It accepts a default values configuration and does
all the grunt work for me... first time population of form values,
rendering of form elements, application of any registered
pre-process/validation/post-process/finalization handlers which can
apply to individual fields or the entire form itself, repopulation of
form data in the case of an error, etc etc.

The only low level form, work I do is when I add new widgets or extend
an existing widget for a specific project need.

Cheers,
Rob.
--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'

On Thu, May 31, 2007 12:57 pm, EMAIL REMOVED wrote:
> username
> lastname
> mobile
> .. and so on ...
>
> Example simple initialization:
> // POST
> $username = $_POST['username'];
> $lastname = $_POST['lastname'];
> $mobile = $_POST['mobile'];

I personally go with:

<?php
$username = isset($_POST['username']) ? $_POST['username'] : '';
$username_html = htmlentities($username);
?>
<input name="username" value="<?php echo $username_html?>" />

I dunno that you want to go with what 95% of people go with -- There's
a LOT of bad scripts out there...

Maybe you should be looking at the best 5% of PHP coders, and see how
they do it instead. :-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

When there is a great list of variables to ***ign through $_POST, I
like to create an array of the keys I want and loop through them
dynamically:

Hope this helps

On Thu, May 31, 2007 5:39 pm, EMAIL REMOVED wrote:
> Thank you. Will use of your initialization method protect one from sql
> injection? It isn't clear from reading this:
>
> http://ca.php.net/htmlentities
>
> ???

htmlentities has absolutely ZERO protection against SQL Injection.

None. Nada. Zip. Zilch.

It only "protects", if that, against XSS attack, in that it converts
any funky character into its HTML Entity to be rendered as "data" in
the browser, rather than as a "code" (where "code" means JavaScript
and/or HTML).

A clever XSS attacker might craft a stirng that after htmlentities
turns into Bad Things, but it's a bit tougher.

In fact, if I understood Rasmus' keynote at the php|tek correctly, an
HTML-entity of &#39 is actually a valid apostrophe in JS, so that:

var foo = 'This is an XSS attack'
is actually VALID JavaScript code!
[shudder]

Which means that htmlentities won't always be "enough" to protect
against XSS attacks, I don't think...

But it was early in the morning for me, and I was freaking out about
the dang microphone (grrr!) so wasn't 100% focused on what he was
saying...

Anyway, if the incoming data is also bound for SQL, as well as for
output to the browser, I might also do like this at the top:

$messages[] = array();
require 'connect.inc'; //sets up $connection
$username = isset($_POST['username']) ? $_POST['username'] : '';
$username_html = htmlentities($username);
$username_sql = mysql_real_escape_string($username, $connection);

//validate username:
//the code to put here is CUSTOM
//it depends on YOUR business needs for a username
//that, in turn, depends on YOUR potential user base
//beware any kind of "generic" code for this
//it might be "close" to what you want
//but it will rarely really really be what you want...
//That said, here are some tests you might consider modifying:

$valid = true;
if (!strlen($username)){
//this probably is always gonna need to be there...
$messages[] = "Username cannot be blank";
$valid = false;
}
if (!ctype_graph($username)){
//maybe you WANT to allow control characters in your username?
$messages[] = "Username cannot contain "invisible" charactes or
whitespace";
$valid = false;
}
if (preg_match('|^[a-z]*$|i', $username)){
//all alpha usernames are usually not so good...
$messages[] = "Username must contain at least one character that's
not A to Z";
$valid = false;
}
if (preg_match('|^[0-9]*$', $username)){
//all digit usernames are probably also not so good...
$messages[] = "Username cannot be only digits 0-9. Add at least one
A-Z character.";
$valid = false;
}
if (is_dictionary_word($username)){
//perhaps more appropriate for a p***word in general
//but on higher-level security systems
//even a username shouldn't be in Websters' dictionary
$messages[] = "Username must not be a single dictionary word.
Consider using two unrelated words.";
$valid = false;
//NOTE: Websters' 2nd Edition is available in Public Doamin
//and is often available as rpm/package
//quite handy to check for this kind of stuff
}

You could, of course, go on at length in this way, and even more so
for p***words.

But once you reach this point, if $valid is still true, you have an
SQL-injection safe username in $username_sql, so use that in the
queries.

$query = "select user_id from user where username = '$username_sql' ";

Use the HTML one for HTML:

<input name="username" value="<?php echo $username_html?>" />


NOTE: The "filter" extension available since (??? 5.2.2 ???) looks
like it will make this all a LOT easier.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

Morning guys,

I have been trying to find an easy to use way to zip an archive on a linux
box running PHP5. Now I've tried the zip-lib.php and others, but they always
throw an error msg.... But that is not the question.

I am looking to use exec("zip archive.zip $directory"); $directory has been
tried with both full path and relative path ... but that doesn't work. I
don't get an error, it just doesn't create the zip-file...

So, after a day of Google-ing and trying, I thought I might ask you for
help.

Cheers for any answers and hints.

Regards,

Chris