Skip to Content.
Sympa Menu

comanage-dev - Re: [comanage-dev] Sanitize:: filtering (CO-667)

Subject: COmanage Developers List

List archive

Re: [comanage-dev] Sanitize:: filtering (CO-667)


Chronological Thread 
  • From: Benn Oshrin <>
  • To:
  • Subject: Re: [comanage-dev] Sanitize:: filtering (CO-667)
  • Date: Thu, 09 Jul 2015 23:09:47 -0400

This generally sounds good. You should write up the approach in the
Developers Manual.

Re Sanitize::escape, if we need to filter data passed into SQL
statements (mostly Cake does this automatically), the approach I used in
Meta.php is probably best. It uses the database driver's escaping, as
implemented by Cake.


https://github.com/Internet2/comanage-registry/blob/develop/app/Model/Meta.php

It's probably also worth verifying that Sanitize (or its replacement) is
actually used everywhere it's needed.

Thanks,

-Benn-

On 7/9/15 3:48 PM, Arlen Johnson wrote:
> Unless anyone disagrees, I'm going to start using the php standard
> filtering (see http://php.net/manual/en/book.filter.php) when we need to
> add user generated output to the Views -- as part of that, I can begin
> replacing the Sanitize:: filters when I run across them.
>
> This relates to ticket https://bugs.internet2.edu/jira/browse/CO-667
>
> Currently, there are 414 references to "Sanitize::" inside app/ (480 if
> you include everything).
>
> The mappings from CakePHP Sanitize to php filters depend largely on the
> options passed to Sanitize, but a rough mapping is as follows:
>
> * Sanitize::paranoid = *|FILTER_SANITIZE_FULL_SPECIAL_CHARS|* (or
> *|FILTER_SANITIZE_STRING |*|depending on need).|
>
> * Sanitize::html = *|FILTER_SANITIZE_STRING |*with options to strip or
> encode special characters, as needed
>
> * Sanitize::escape -- this is used 6 times, mostly for escaping SQL.
> There are a number of approaches, though the best are mostly
> database dependent. One approach is *|FILTER_SANITIZE_MAGIC_QUOTES
> |*(which essentially applies addslashes()). Not sure if we can use
> prepared statements where these are in use.
>
> There is also Sanitize::clean, but we're not using it in app/
>
> If it is desired, I could march through all instances of Sanitize
> (except Sanitize::escape) and replace them, rather than take a piecemeal
> approach. I defer the Sanitize::escape to those of a more back-end dev
> leaning. (-:
>
> Arlen
>



Archive powered by MHonArc 2.6.16.

Top of Page