A fairly substantial set of questions - here is some experience based on 1.1.12:
When to sanitize? I always sanitize input before validation for two reasons: 1) Some validation routines (e.g. unique) use the input in the DB; 2) If the input does get changed by the sanitization it may become invalidated (e.g. where you have multiple rules); Sanitization and passwords. A good question about passwords - I use one of the advanced validation routines from the bakery and always ask for a confirmation of the password. The actual password field is sanitized and the confirmation field is not, the two are then compared. On top of that you should be explicit about what characters are allowed and what are not. Does the DB layer deal with slashes/quotes I think (and I'm sure others will correct me if required) that if you use any method to interact with the DB other than query then addslashes is done for you. cleanArray vs HTML I'm not too sure here either as I haven't used HTML. The important thing is not to rely on cleanArray as your sole method of sanitization for input data - I don't think it protects against XSS (try <script>alert(document.cookie)</script> and see what happens (thanks to 4e4en for pointing that out to me). I found that cleanArray was really compelling because it is recursive whereas paranoid cleans one string at a time. I recently came across a component in the cakeforge (http://cakeforge.org/snippet/download.php? type=snippet&id=222) that acts as a wrapper for sanitize and allows you to do recursive paranoid calls. But the way it is set up you cannot pass arrays of allowed characters to the paranoid function. Additionally I feel that whitelists of allowed characters for a given input are really part of the model in an MVC construct. My current solution to validation was to create a protected array in each model describing for each input any allowed characters and to use the beforeValidate callback to sanitize data - I have put a code snippet in http://pastebin.co.uk/11051 to try to explain this better. Hope to see some good discussion around best practices for sanitization/validation. Cheers, ianh --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
