comanage-dev - Re: [comanage-dev] Sanitize:: filtering (CO-667)
Subject: COmanage Developers List
List archive
- From: Benn Oshrin <>
- To:
- Subject: Re: [comanage-dev] Sanitize:: filtering (CO-667)
- Date: Thu, 09 Jul 2015 23:09:47 -0400
This generally sounds good. You should write up the approach in the
Developers Manual.
Re Sanitize::escape, if we need to filter data passed into SQL
statements (mostly Cake does this automatically), the approach I used in
Meta.php is probably best. It uses the database driver's escaping, as
implemented by Cake.
https://github.com/Internet2/comanage-registry/blob/develop/app/Model/Meta.php
It's probably also worth verifying that Sanitize (or its replacement) is
actually used everywhere it's needed.
Thanks,
-Benn-
On 7/9/15 3:48 PM, Arlen Johnson wrote:
> Unless anyone disagrees, I'm going to start using the php standard
> filtering (see http://php.net/manual/en/book.filter.php) when we need to
> add user generated output to the Views -- as part of that, I can begin
> replacing the Sanitize:: filters when I run across them.
>
> This relates to ticket https://bugs.internet2.edu/jira/browse/CO-667
>
> Currently, there are 414 references to "Sanitize::" inside app/ (480 if
> you include everything).
>
> The mappings from CakePHP Sanitize to php filters depend largely on the
> options passed to Sanitize, but a rough mapping is as follows:
>
> * Sanitize::paranoid = *|FILTER_SANITIZE_FULL_SPECIAL_CHARS|* (or
> *|FILTER_SANITIZE_STRING |*|depending on need).|
>
> * Sanitize::html = *|FILTER_SANITIZE_STRING |*with options to strip or
> encode special characters, as needed
>
> * Sanitize::escape -- this is used 6 times, mostly for escaping SQL.
> There are a number of approaches, though the best are mostly
> database dependent. One approach is *|FILTER_SANITIZE_MAGIC_QUOTES
> |*(which essentially applies addslashes()). Not sure if we can use
> prepared statements where these are in use.
>
> There is also Sanitize::clean, but we're not using it in app/
>
> If it is desired, I could march through all instances of Sanitize
> (except Sanitize::escape) and replace them, rather than take a piecemeal
> approach. I defer the Sanitize::escape to those of a more back-end dev
> leaning. (-:
>
> Arlen
>
- [comanage-dev] Sanitize:: filtering (CO-667), Arlen Johnson, 07/09/2015
- Re: [comanage-dev] Sanitize:: filtering (CO-667), Benn Oshrin, 07/10/2015
Archive powered by MHonArc 2.6.16.