Form fields validation: which characters to include / exclude? [closed] - forms

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
A google search gave me the methods to validate form fields, but I can already construct them. My question is, which are the characters that are safe to include and which are to exclude in a form field? Specifically, username and password.
A brief explanation would be nice too.
Thanks.

You need to exclude all characters you will never have inside you datas.
Do you think it would be any sense to have special characters if your usernames/passwords must only contains alphanumeric characters ?
Look at some REGEX for JAVA or for PHP.
There is a regexp reference table which could be usefull too.
If you give us more information about the langage you are using, we could maybe help us more.
Have a good day!
[UPDATE]
There is the security reference which is very good and the OWASP website which is a real reference for any web security related topics, look at the OWASP Cheat Sheets.
#**Cross-Site Scripting Vulnerabilities?**
#for any programming language, the chars you should reject or handle properly are:
> < ( ) [ ] ' " ; : / |
#for PHP, tools to handle with care:
strip_tags(), utf8_decode(), htmlspecialchars(), strtr()
#do Positive/Negative filtering
#check Encoding
#**SQL Injection ?**
#etc...
[/UPDATE]

If you properly sanitize your input and output, there's nothing you need to be afraid of.
Note: I'm assuming you're using PHP as your server side language.
First, use PDO (or MySQLi) with prepared statements, to eliminate the risk of SQL Injection.
Second, anything that will be displayed on your site should be sanitized against XSS attacks (so that users don't register a username of <script>doSomeEvilStuff()</script>).
That's it basically, if you're really paranoid, you should be using a whitelist (to only allow certain characters) and not a blacklist (to only disallow certain characters), since someone will always find a way to bypass a blacklist, but no one can bypass a whitelist.
For usernames, I don't see the need for anything more than /[a-zA-Z0-9_.\s!$%^&*\-+=]/ You may think otherwise. In any case, don't allow /[`<>(){}[]]/

Related

Unknown Encoding Format [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
My friend challenged me to figure out what encoding he used and only gave me the hint MD5 (Its not just an MD5 hash, but I'm still only learning about encryption), to which I eventually lost, but he still won't tell me what he used.
He has code that is authenticating his encoding is genuine each time, so I was hoping I could ask someone here what encoding was used and how effective it would be for me to learn about it and use it in some of my future applications.
Here are a few samples of the String that he is using to authenticate against:
pkG5llUrdxRcfe2wYLFawQ==
Zy6mwGZ9cNk3UyHvVOqpWg==
SdG3KvuLp/902XTiSlM+NQ==
mutGi6BcdPvv/z6j1B3/KQ==
pkG5llUrdxRcfe2wYLFawQ==
FJy+7HiRVlbsjntIign+PQ==
tYa63Ko4SS9WaGMUTdSkFg==
tgVrNGfztjS8Tony9swqUw==
XrhfcKqnNlPBtH8hXswEDA==
v4H+13J+Eh1ERpsGSIHYdQ==
+AV1IoAyU8DkTv6Ry+GH+g==
If someone could tell me what these are, I would really appreciate it.
Also, as a bonus, because this clearly isn't driving me crazy enough, why are there two equal signs at the end of each encryption? Is that some sort of format, or are they there just to distract me?
EDIT: A point I would like to make is that I know the original message, but I don't understand how the one message can create unique hashes every time.
Well looks like raw md5 results base64 encoded... but really it could be anything, there is no way to know from looking at 16 bytes to see what produced them or if they even make any sense.
If these are all the result of the same 74 byte message, then that most likely means HMAC-MD5 used with different keys. It's not reversible regardless.

Fastest Perl Template Library [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Whats the fastest perl template library that allows me to do the following:
variable substitution,
loops (Hashes & Arrays),
layout (wrapper templates)
and at least some conditional logic (< > != == %).
..also has anybody used pltenjin? the benchmarks suggest this is pretty rapid.
I recommend you the Xslate template engine (http://xslate.org/), and it's about 50-100 times faster than others. Please, see this comparative benchmarks: http://xslate.org/benchmark.html
The engine enables the use of Template Toolkit (another template engine) compatible template tokens ('[%', '%]'), and you can use commands like: INCLUDE, FOREACH, WHILE, ...
No, I didn't use plTenjin. From my experience,
this looks almost like HTML::Mason minus the
nice block syntax of Mason.
What site do you manage which is able to saturate
any modern CPU during template processing? I don't
think this would happen easily.
In most cases, there are different bottlenecks
to site performance than any cpu-bound template
processing.
(BTW, from what I read in the plTenjin doc,
you should give HTML::Mason a try..)
Regards
rbo

Plural form of word "mutex" [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
What is the correct plural form of the portmanteau mutex. Is it mutexes or mutices?
From a purely linguistics point of view, the correct usage is mutexes because the word mutex is not Latin in origin. Prescriptivists would wail in anguish if mutices were to enter regular usage.
The -ices usage (e.g., the plurals of index and vertex) is falling out of favor. Indexes and vertexes are both correct usage, for example.
Let their common usage decide...
GoogleFight
Everyone knows that the correct answer is Mutii.
Mutexes. It's correct in a de facto manner--- the vast majority of people (in my experience, certainly) call them mutexes, not mutices, and English is a language that's defined by use. :)
As mutex is short for "mutual exclusion", I would only imagine that "mutual exclusions" would become mutexes. Mutices would be confusing. Better to be unambiguous.
As a side note: it's not a portmanteau, or it would be a mutsion.
There's no official correct form because 'mutex' hasn't gained wide enough circulation to enter any of the major English dictionaries. Thus, the most correct term is whatever is used most by people. And I think that Google hits are a pretty good indicator of (relative) usage frequency, as great_lama has pointed out.
Other English nouns that end in -ex or -ix:
Affix
Annex
Apex
Appendix
Cervix
Circumflex
Complex
Cortex
Crucifix
Duplex
Helix
Ibex
Index
Infix
Latex
Matrix
Phoenix
Prefix
Postfix
Reflex
Remix
Suffix
Vertex
Vortex
And lots more less common words. If you look up these in the dictionary, you'll find that most of them have both plurals shown as acceptable. Several have only the -exes/-ixes form, but few or none (depending on the dictionary you use) have only the -ices form.
In conclusion, I believe mutexes to be the correct plural form of mutex.
Either/or. I've seen both (though mutexes is considerably more common).
Mutex is not in any real dictionary I know of, so there's no "official answer."
Index can be pluralized to indexes or indices, though, so it makes sense that mutex could follow suit.
Since the word apex can be pluralized as either apexes or apices, I'd say you can pronounce it either mutexes or mutices. Whatever suits you.
I think that the hysterical raisins (in this case the fact that "mutex" is a portmanteau) should not be given too much weight in resolving such issues.
Perhaps it would be more useful to consider similar words and their usage; reflex -> reflexes for example.
Or, use the simplest choice: most pluralizations in english use -s/-es (depending on whether last letter is a perceived vowel); in this case -es.
I guess I can't see any reason to use the alternative, except as some sort of tribute to Latin, once thought to be the noblest of all languages. :)
Maybe it is like sheep? Singular and plural?

User Names and White-Spaces [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
In past many years I have registered on various applications and platforms hosted online or offline.
Why white-spaces are not allowed in User Names as spaces are very natural to names and most of the computing systems can handle them efficiently.
(Many people can raise similar questions about other special characters which are illegal. But their case is far more understandable as they are not even natural to real world naming schemes. And surely!)
One subtle problem related to spaces in user names is that the space character is "invisible" and two consecutive spaces may look very similar to a single space. Errors that arise from entering two instead of one space can be hard to spot and this is one reason to disallow spaces all together.
Some systems may disallow spaces but still allow a non-breaking space. A smart user can use this fact to include a space in his user name.
I think in reality this is probably one of those conventions that needs to be broken. Most systems now deal with a lot of sophisticated data and are used to correctly processing text which includes spaces. I was delighted to discover that fogbugz (another plug) will accept your email address, your username or your real name, as you have entered it; as your username when you log on.
This is simply a convention that is still around from the days of 8 letter file names and probably also 8 letter user names. I would suggest you allow it in your web app and let the world follow you. :)
I imagine because some code somewhere is still processing the input as a set of space seperated parameters, much the way the Windows command prompt handles unquoted file names. For example if you were to pass the user name to an external executable process, written in C, where the user name was passed on the command line, it would arrive in the C application as two arguments.
While this mightn't happen much in practice any more, much the same as many special characters, I guess its the reason why its there.
The only reason I know of that makes any sense is that if you're parsing tokens on whitespace, putting space in a user name will cause it to fail.
However, I do agree with you: in today's environment, there's probably not a lot of reason to continue doing it, except where legacy compatibility makes sense (*nix, etc).
I think because generally its a tendency to trim input field values before they are actually saved, say in Database.
Since we trim off the white spaces and if we allow them in password or user name, you can imagine there will be a big issue if user entered a password as "PWD ".
It prevents confusingly similar name combinations e.g. "John Smith" and "JohnSmith". It also makes it easier to automatically recognize names that appear within text.
It depends where they're going to be used. Not using spaces in unix user names makes sense for the same reason it makes sense not to use them in unix filenames - they're a pain to type at the command line. That said, unix does allow spaces in user names as well as in filenames.
I can see no reason for things like web apps not to allow spaces.
Actually the thing that annoys me most is web apps not allowing # in user names. When it's something with millions of users the chances of a name I really want being available is small, so I like to use my email address which at least is guaranteed to be unique.

What is the best code template facility for Emacs? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Particularly, what is the best snippets package out there?
Features:
easy to define new snippets (plain text, custom input with defaults)
simple navigation between predefined positions in the snippet
multiple insertion of the same custom input
accepts currently selected text as a custom input
cross-platform (Windows, Linux)
dynamically evaluated expressions (embedded code) written in a concise programming language (Perl, Python, Ruby are preferred)
nicely coexists with others packages in Emacs
Example of code template, a simple for loop in C:
for (int i = 0; i < %N%; ++i) {
_
}
It is a lot of typing for such common code. I want to invoke a code template or snippet which inserts
that boilerplate code for me. Additionally it stops (on TAB or other keystroke) at %N% (my input replaces it) and final position of the cursor is _.
TextMate's snippets is the most closest match but it is not a cross-platform solution and not for Emacs.
The second closest thing is YASnippet (screencast shows the main capabilities). But it interferes with hippie-expand package in my setup and the embedded language is EmacsLisp which I'm not comfortable with outside .emacs.
EDIT: Posted my answer here to allow voting on YASnippet.
Personally, I've been using Dmacro for years (ftp://ftp.sgi.com/other/dmacro/dmacro.tar.gz).
Here's a review of it that also mentions some alternatives: http://linuxgazette.net/issue39/marsden.html
The EmacsWiki has a page of template engines.
Of these, I've used tempo in the (distant) past to add table support to html-helper-mode, but don't know how it has progressed in the last 15 years.
I'd add my vote for tempo snippets ... easy to setup, powerful (you can run arbitrary elisp in your template - so that you can downcase things, lookup filenames & classes, count things, etc), set the indentation, integrate with abbrevs ... I use it a lot ;)
I vote for http://cedet.sourceforge.net/srecode.shtml
It has very clean syntax and has access to code environment through Semantic.
Also it is a part of a large well supported CEDET distribution (which was built into Emacs for 24.x version series).
UPDATE YASnippet is also a powerful template engine. But it uses an ugly file naming schema (your file name === template name) for you can't put several templates into a single file and have issues with national character sets...
You can try a lightweight solution muban.el
It is written completely in Elisp and has a very simple syntax.