logs archiveIRC Archive / Freenode / #php / 2015 / August / 24 / 1
__adrian
hell, I'm never right on purpose.
story of my life.
Alphos
__adrian (and morfin and ThreeOFive93 and everyone) actually, you can still pass data using PDO::query(), as long as it's statically embedded in the query string. $pdo->query( 'SELECT * FROM users WHERE banned = 1' );// is perfectly fine for instance
the 1 in there is data already :p
__adrian
^
in a case like that, i suppose you _should_ ask whether you're doing it more than once.
Alphos
if it's interpolated, it MAY be fine too, but it should raise a red flag nonetheless
__adrian
yes
that's a code smell
Alphos
doesn't mean it's not fine. just that you need to make sure it's what you expect it to be and can't alter the DDL, and that nothing can change it from being what you expect it to be. i typically use it for integers that i know can't be anything else than integers
oh, another thing
data that comes from the database IS UNCLEAN TOO
__adrian
(i'm a little pickier than that, but) yeah, sure
Alphos
just because you picked it up from there, doesn't mean it can't harm you. stick to preparing+binding+executing when it comes to strings coming from the database
__adrian
^-- yep
this is also why you shouldn't (for example) run stuff through htmlspecialchars() _before_ you put it in the database
things like that should be done on output
meh. i think we're far enough off topic now
ThreeOFive93, progress?
         

Alphos
don't use a hamster wheel to fix that punctured tire on your car, don't use a car wheel to get your furry little pet some exercise
right tool for the right job
morfin
and do not allow <script in comments :D
Alphos
morfin why not ?
__adrian
that's not a problem, provided you handle the output correctly.
morfin
why allow that?
__adrian
why not?
what if i want to discuss <script> tags in my comment?
Alphos
because you might want to allow your users to post some html code in their comments to answer your blogpost about html
doesn't mean you should leave them as they are, you should escape html chars appropriately
morfin
it's not very safe unless you htmlspecialchars when printing hmm
__adrian
"unless"??
why would you not do so, when printing text to an html page?
Alphos
but you definitely shouldn't prevent your users from writing whatever they want to write about
morfin
but for code usually bb codes are used like [code][/code]
__adrian
bbcode sux
Alphos
morfin considering you have to use htmlspecialchars or htmlentities EVERY TIME you're outputting in html context, the "unless" there is completely absurd
__adrian
but that doesn't answer my question :)
NanoSector
Can someone see why this doesn't work: http://pastebin.com/jyBVPNm7
morfin
they allows you choose syntax as example(to highlight)
NanoSector
I want a function that proceeds to the next player, wrapping around the array
morfin
ok ok
but if bb codes are used everything else is just encoded
but imagine you want let user use "raw" html(only some tags)
Alphos
morfin no, you don't want that, period
__adrian
what advantage does bbcode provide? people can still input html, so you still have to deal with that. and i've never seen a bbcode parser that doesn't allow bad bbcode input to screw things up in some way.
         

morfin
ok
Alphos
(ok, sometimes you do, but the answer is very much NOT trivial)
morfin
in worst case you will see broken BB code i think
Alphos
been willing to write a library that would handle that, sort of a strip_tags() except better, but i'd need a few weeks of tranquillity to do all i want to do, and that's in short supply atm
__adrian
i haven't dealt with it in a long time. but, for example, you used to be able to screw up vbulletin layouts with certain mismatched tags.
morfin
hmm
__adrian
and it's even easier with home-rolled bbcode implementations
which fortunately people seem to be making less of
morfin
but what use then?
__adrian
i prefer markdown
morfin
let user learn TeX? :D
muhahah feel the pain
__adrian
nah, use wysiwyg toolbars
Alphos
yes, let your users run arbitrary TeX, see how that goes
morfin
i think that would be overkill
but could be useful on scientific forums maybe?
when i said use "raw" html i meant WYSIWYG of course
__adrian
doesn't matter, in the end. you have to treat it the same way.
morfin
and stripping unwanted tags
__adrian
<?= strip_tags("I <3 Wordpress") ?>
like so?
morfin
i mean when saving result(if user managed to POST directly)
around editor
__adrian
i disagree. generally speaking, you either like what you got, or you reject it.
morfin
so you suggest just say "you're posting some crap"?
__adrian
normalization notwithstanding, i don't waste time trying to "fix" things
well, if it was something they "shouldn't have been able" to do, no, i just ignore it.
morfin
but if i have editor which have regular functionality like bold/italic/underlined/size/headers etc and i know what user can post why just not remove unwanted tags?
__adrian
that, i would treat as content.
morfin
ahh
__adrian
but then, liking markdown as i do, i would treat ALL html as "content".,
morfin
strip_tags can remove text in case of broken tags
:D
__adrian
strip_tags is a very broken function. amusingly so, but still.
that joke (above) is the only place i ever use strip_tags()
morfin
i guess that's why Alphos wanted to create something more useful
Alphos
morfin strip_tags is a nuke you shoot with a catapult
it shreds anything that could be a tag, even an unclosed one
so you end up with non html that's missing, and every html is missing
morfin
that's very strange why language like PHP do not have something sane to handle HTML
Alphos
i want to be able to allow some tags, with some attributes, with some values, with some subvalues
morfin because there is nothing sane to handle html
__adrian
in fairness, html isn't terribly sane on its own.
morfin
:O
Alphos
handling html that way is actually very high-level, in terms of closeness to the metal (although it kinda is in terms of programming skill)
__adrian
e.g., what does this result in? <p>hello, <div>world!</div></p>
morfin
btw it's not fine to put block tag in inline one
that will show you paragraph with Hello and world! on new line because div is block element hmmm
__adrian
not quite. try it. then replace <p> with <span> and compare
morfin
browser split paragraph
for me
__adrian
yep
until html5, there actually _wasn't_ a "correct" way to handle this.
most browsers, this will result in <p>Hello, </p><div>World</div><p></p>
rightnow|work
I need some help on some low level stuff, maybe someone can help me. I need to convert 1-100 to binary. 10 should be 19, 20 should be 33, 100 should be FF. Does this make any sense to anyone?
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 next »