[geeklog-devtalk] geeklog-devel digest, Vol 1 #284 - 3 msgs

geeklog-devel-request at lists.geeklog.net geeklog-devel-request at lists.geeklog.net
Wed Mar 3 13:00:02 EST 2004

Previous message: [geeklog-devtalk] Variable best practices
Next message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #285 - 1 msg
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Send geeklog-devel mailing list submissions to
geeklog-devel at lists.geeklog.net

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
geeklog-devel-request at lists.geeklog.net

You can reach the person managing the list at
geeklog-devel-admin at lists.geeklog.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."

Today's Topics:

1. resolution to an ODD CSS issue (Blaine Lang)
2. Re: [geeklog-devtalk] Variable best practices (Tony Bibbs)
3. Re: Re: [geeklog-devtalk] Variable best practices (Blaine Lang)

--__--__--

Message: 1
From: "Blaine Lang" <geeklog at langfamily.ca>
To: <geeklog-devel at lists.geeklog.net>
Date: Wed, 3 Mar 2004 00:04:55 -0500
Subject: [geeklog-devel] resolution to an ODD CSS issue
Reply-To: geeklog-devel at lists.geeklog.net

This is a multi-part message in MIME format.

------=_NextPart_000_0016_01C400B3.2888B390
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

While developing a CSS menu, I was having a real problem trying to get =
rid of a spacing issue that IE 6 was having.

My problem went away after adding the URI to the doctype specification =
in header.thtml for the XSilver theme.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>

My problem actually goes away by just adding "http://www.w3.org".
Apparently with No URI present, IE 6 falls into "quirky" mode and was =
not interpreting the CSS correctly.

I am still learning CSS and SGML so maybe others want to comment on this =
and if we should be declaring the URI in the theme header.thtm files.
I was using XSilver but it appears all the themes are the same.

This is an MS Document that provides more information.
http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/dnie60=
/html/cssenhancements.asp

Blaine

------=_NextPart_000_0016_01C400B3.2888B390
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>While developing a CSS menu, I was =
having a real=20
problem trying to get rid of a spacing issue that IE 6 was =
having.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>My problem went away after adding the =
URI to the=20
doctype specification in header.thtml for the XSilver =
theme.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><!DOCTYPE HTML PUBLIC "-//W3C//DTD =
HTML 4.01=20
Transitional//EN"<BR>   "<A=20
href=3D'http://www.w3.org/TR/html4/loose.dtd"><html'>http://www.w3.org/TR=
/html4/loose.dtd"><html</A>></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>My problem actually goes away by just =
adding "<A=20
href=3D'http://www.w3.org/TR/html4/loose.dtd"><html'>http://www.w3.org</A=

>".</FONT></DIV>

<DIV><FONT face=3DArial size=3D2>Apparently with No URI present, IE 6 =
falls into=20
"quirky" mode and was not interpreting the CSS correctly.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I am still learning CSS and SGML so =
maybe others=20
want to comment on this and if we should be declaring the URI in the =
theme=20
header.thtm files.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I was using XSilver but it appears all =
the themes=20
are the same.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This is an MS Document that provides =
more=20
information.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://msdn.microsoft.com/library/default.asp?url=3D/library/en-u=
s/dnie60/html/cssenhancements.asp">http://msdn.microsoft.com/library/defa=
ult.asp?url=3D/library/en-us/dnie60/html/cssenhancements.asp</A></FONT></=
DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Blaine</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>

------=_NextPart_000_0016_01C400B3.2888B390--

--__--__--

Message: 2
Date: Wed, 03 Mar 2004 09:12:41 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: geeklog-devel at lists.geeklog.net
Subject: [geeklog-devel] Re: [geeklog-devtalk] Variable best practices
Reply-To: geeklog-devel at lists.geeklog.net

Knowing that there have been security issues with anything prior to 4.2
(and, indeed, after), I don't think it is a stretch to have Geeklog
require 4.1 or better. In fact, we should probably have a rule that
Geeklog will support so many revisions behind the most current. I mean,
seriously, should we be concerned with people who are still using
pre-4.1 (hell, the 5.0 launch isn't all that far away)? I think
not....simply because I can't fatham that many people out there with
that old of a version. Sure, that means you have some inconsistent code
(i.e. some that can handle no register_globals and some that can) but to
me that at least introduces the ability to start making the switch and,
at the very least, encourages good coding habits.

As you can tell, I have an opinion. I say ditch pre-4.1 support and
let's start using $_REQUEST, $_GET, $_POST and be happy. I, of course,
could be swayed if there is enough uproar to convince me pre-4.1 support
is needed.

Thoughts?

--Tony

Blaine Lang wrote:

> Maybe, I can only receive emails on this list ;)

>

> Another suggestion where this function would be helpfull is in say .....

> admin/topic.php -- I believe $tid and $topic are variables that are

> passed as GET or POST vars.

>

> You need to check for both, post is higher in presidence and if not set

> it to '';

>

> Just a thought -- I'll stop sharing now.

>

> ----- Original Message -----

> *From:* Blaine Lang <mailto:geeklog at langfamily.ca>

> *To:* geeklog-devtalk at lists.geeklog.net

> <mailto:geeklog-devtalk at lists.geeklog.net>

> *Sent:* Sunday, February 29, 2004 1:19 PM

> *Subject:* Re: [geeklog-devtalk] Variable best practices

>

> I've been wanting to address this issue for a while and have come up

> with the following function.

>

> It will filter either GET, POST or both (as in my need noted below -

> but look for POST first).

> It will appy the data filter - default mode for now.

> It will also optionally create GLOBALS out of the variables. This

> could be used to remove a dependany on Register_globals.

>

> Example use:

>

> $myvars = array('op','profileid','memberid');

> getdata($myvars,true);

>

> or

>

> $formvars = array('profile_name','member_num', 'member_addr',

> 'member_city', 'member_phone');

> $formdata = array();

> $formdata = getdata($formvars,'POST');

>

> << code begin >>

>

> function getdata($vars,$setglobal=false,$type='') {

> $return_data = array();

>

> #setup common reference to SuperGlobals depending which array is

> needed

> if ($type == "GET" OR $type == "POST") {

> if ($type=="GET") { $SG_Array=& $_GET; }

> if ($type=="POST") { $SG_Array=& $_POST; }

>

> # loop through SuperGlobal data array and grab out data for

> allowed fields if found

> foreach($vars as $key) {

> if (array_key_exists($key,$SG_Array)) {

> $return_data[$key]=$SG_Array[$key]; }

> }

>

> } else {

> foreach ($vars as $key) {

> if (array_key_exists($key, $_POST)) {

> $return_data[$key] = $_POST[$key];

> } elseif (array_key_exists($key, $_GET)) {

> $return_data[$key] = $_GET[$key];

> }

> }

> }

>

> # loop through $vars array and apply the filter

> foreach($vars as $value) {

> $return_data[$value] = COM_applyFilter($return_data[$value]);

> }

>

> // Optionally set $GLOBALS or return the array

> if ($setglobal) {

> # loop through final data and define all the variables using

> the $GLOBALS array

> foreach ($return_data as $key=>$value) {

> $GLOBALS[$key]=$value;

> }

> } else {

> return $return_data;

> }

>

> }

>

>

>

> ----- Original Message -----

> *From:* Blaine Lang <mailto:geeklog at langfamily.ca>

> *To:* geeklog-devtalk at lists.geeklog.net

> <mailto:geeklog-devtalk at lists.geeklog.net>

> *Sent:* Sunday, February 29, 2004 10:19 AM

> *Subject:* [geeklog-devtalk] Variable best practices

>

> As a practce, I try not to have any register_globals

> dependancies. I will use the full $HTTP_POST_VARS

> and $HTTP_GET_VARS variable names. I'd lole to use the other

> supper globals ($_REQUEST, $_POST and $_GET) and are still

> dependant on php version 4.1 or greater. Most hosting services

> should be running by now but it can not be assumed I guess.

>

> I'm filtering all expected POST and GET vars now in my new

> plugins and there are still times it makes sense to use the same

> name in the POST and GET. It may be passed in the URL or form so

> you have to check both but I check the post first as I would use

> that first if I can post a hidden variable.

>

> Examples are:

> using $op to indicate operation. I may be triggered from a link,

> selectbox, image or button in the UI. I may also have to pass it

> to another script.

> using $page and $sort as part of the page google like navigation

> (links) but you also need to retain this as hidden fields in

> forms if you want to retain your page position.

>

> I don't see the reason to use different names with the get and

> post as this allows me more control. I only expect it one way or

> the other and POST should override get.

>

> Hense why I end of having all this extra code at the top of scripts:

> > if (isset($HTTP_POST_VARS['op']) ) {

> > $op = clubApplyFilter($HTTP_POST_VARS['op']);

> > } elseif (isset($HTTP_GET_VARS['op']) ) {

> > $op = clubApplyFilter($HTTP_GET_VARS['op']);

> > } else {

> > $op = '';

> > }

>

> Is this how others would approach this?

>

> I was thinking if I am having to repeat this practice and common

> code, others would as well. Extending my class object to handle

> this would be an advantage.

> $myfilter = new COM_filter;

> $myfilter->_censor = true;

> $myfilter ->_jsfilter = true;

> $op = $myfilter->_setvar('op', 'text');

>

> Cheers,

> Blaine

>

>

--__--__--

Message: 3
From: "Blaine Lang" <geeklog at langfamily.ca>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] Re: [geeklog-devtalk] Variable best practices
Date: Wed, 3 Mar 2004 10:59:43 -0500
Reply-To: geeklog-devel at lists.geeklog.net

Tony,

I don't disagree and using $_REQUEST would remove the need to check both GET
and POST.
I wonder though, if it is not still more secure to check for $_POST before
$_GET. I know a hacker can just as easily fake a POST request so maybe it
does not matter. As long as we are filtering out any potentially hostile
data.

I suspect our issues are mostly with users that host their sites.

That still leaves the question or feedback and using the concept I used in
this function for setting up which variables you want to filter and calling
the filter once.
It also has a mode to address the need for Register_Globals on.

Blaine
----- Original Message -----
From: "Tony Bibbs" <tony at tonybibbs.com>
To: <geeklog-devel at lists.geeklog.net>
Sent: Wednesday, March 03, 2004 10:12 AM
Subject: [geeklog-devel] Re: [geeklog-devtalk] Variable best practices

> Knowing that there have been security issues with anything prior to 4.2

> (and, indeed, after), I don't think it is a stretch to have Geeklog

> require 4.1 or better. In fact, we should probably have a rule that

> Geeklog will support so many revisions behind the most current. I mean,

> seriously, should we be concerned with people who are still using

> pre-4.1 (hell, the 5.0 launch isn't all that far away)? I think

> not....simply because I can't fatham that many people out there with

> that old of a version. Sure, that means you have some inconsistent code

> (i.e. some that can handle no register_globals and some that can) but to

> me that at least introduces the ability to start making the switch and,

> at the very least, encourages good coding habits.

>

> As you can tell, I have an opinion. I say ditch pre-4.1 support and

> let's start using $_REQUEST, $_GET, $_POST and be happy. I, of course,

> could be swayed if there is enough uproar to convince me pre-4.1 support

> is needed.

>

> Thoughts?

>

> --Tony

>

> Blaine Lang wrote:

> > Maybe, I can only receive emails on this list ;)

> >

> > Another suggestion where this function would be helpfull is in say .....

> > admin/topic.php -- I believe $tid and $topic are variables that are

> > passed as GET or POST vars.

> >

> > You need to check for both, post is higher in presidence and if not set

> > it to '';

> >

> > Just a thought -- I'll stop sharing now.

> >

> > ----- Original Message -----

> > *From:* Blaine Lang <mailto:geeklog at langfamily.ca>

> > *To:* geeklog-devtalk at lists.geeklog.net

> > <mailto:geeklog-devtalk at lists.geeklog.net>

> > *Sent:* Sunday, February 29, 2004 1:19 PM

> > *Subject:* Re: [geeklog-devtalk] Variable best practices

> >

> > I've been wanting to address this issue for a while and have come up

> > with the following function.

> >

> > It will filter either GET, POST or both (as in my need noted below -

> > but look for POST first).

> > It will appy the data filter - default mode for now.

> > It will also optionally create GLOBALS out of the variables. This

> > could be used to remove a dependany on Register_globals.

> >

> > Example use:

> >

> > $myvars = array('op','profileid','memberid');

> > getdata($myvars,true);

> >

> > or

> >

> > $formvars = array('profile_name','member_num', 'member_addr',

> > 'member_city', 'member_phone');

> > $formdata = array();

> > $formdata = getdata($formvars,'POST');

> >

> > << code begin >>

> >

> > function getdata($vars,$setglobal=false,$type='') {

> > $return_data = array();

> >

> > #setup common reference to SuperGlobals depending which array is

> > needed

> > if ($type == "GET" OR $type == "POST") {

> > if ($type=="GET") { $SG_Array=& $_GET; }

> > if ($type=="POST") { $SG_Array=& $_POST; }

> >

> > # loop through SuperGlobal data array and grab out data for

> > allowed fields if found

> > foreach($vars as $key) {

> > if (array_key_exists($key,$SG_Array)) {

> > $return_data[$key]=$SG_Array[$key]; }

> > }

> >

> > } else {

> > foreach ($vars as $key) {

> > if (array_key_exists($key, $_POST)) {

> > $return_data[$key] = $_POST[$key];

> > } elseif (array_key_exists($key, $_GET)) {

> > $return_data[$key] = $_GET[$key];

> > }

> > }

> > }

> >

> > # loop through $vars array and apply the filter

> > foreach($vars as $value) {

> > $return_data[$value] = COM_applyFilter($return_data[$value]);

> > }

> >

> > // Optionally set $GLOBALS or return the array

> > if ($setglobal) {

> > # loop through final data and define all the variables using

> > the $GLOBALS array

> > foreach ($return_data as $key=>$value) {

> > $GLOBALS[$key]=$value;

> > }

> > } else {

> > return $return_data;

> > }

> >

> > }

> >

> >

> >

> > ----- Original Message -----

> > *From:* Blaine Lang <mailto:geeklog at langfamily.ca>

> > *To:* geeklog-devtalk at lists.geeklog.net

> > <mailto:geeklog-devtalk at lists.geeklog.net>

> > *Sent:* Sunday, February 29, 2004 10:19 AM

> > *Subject:* [geeklog-devtalk] Variable best practices

> >

> > As a practce, I try not to have any register_globals

> > dependancies. I will use the full $HTTP_POST_VARS

> > and $HTTP_GET_VARS variable names. I'd lole to use the other

> > supper globals ($_REQUEST, $_POST and $_GET) and are still

> > dependant on php version 4.1 or greater. Most hosting services

> > should be running by now but it can not be assumed I guess.

> >

> > I'm filtering all expected POST and GET vars now in my new

> > plugins and there are still times it makes sense to use the same

> > name in the POST and GET. It may be passed in the URL or form so

> > you have to check both but I check the post first as I would use

> > that first if I can post a hidden variable.

> >

> > Examples are:

> > using $op to indicate operation. I may be triggered from a link,

> > selectbox, image or button in the UI. I may also have to pass it

> > to another script.

> > using $page and $sort as part of the page google like navigation

> > (links) but you also need to retain this as hidden fields in

> > forms if you want to retain your page position.

> >

> > I don't see the reason to use different names with the get and

> > post as this allows me more control. I only expect it one way or

> > the other and POST should override get.

> >

> > Hense why I end of having all this extra code at the top of

scripts:

> > > if (isset($HTTP_POST_VARS['op']) ) {

> > > $op = clubApplyFilter($HTTP_POST_VARS['op']);

> > > } elseif (isset($HTTP_GET_VARS['op']) ) {

> > > $op = clubApplyFilter($HTTP_GET_VARS['op']);

> > > } else {

> > > $op = '';

> > > }

> >

> > Is this how others would approach this?

> >

> > I was thinking if I am having to repeat this practice and common

> > code, others would as well. Extending my class object to handle

> > this would be an advantage.

> > $myfilter = new COM_filter;

> > $myfilter->_censor = true;

> > $myfilter ->_jsfilter = true;

> > $op = $myfilter->_setvar('op', 'text');

> >

> > Cheers,

> > Blaine

> >

> >

> _______________________________________________

> geeklog-devel mailing list

> geeklog-devel at lists.geeklog.net

> http://lists.geeklog.net/listinfo/geeklog-devel

--__--__--

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel

End of geeklog-devel Digest

Previous message: [geeklog-devtalk] Variable best practices
Next message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #285 - 1 msg
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-devtalk mailing list